WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 2

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 9.02 [2002] EPICAlert 2


Volume 9.02 January 29, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Qwest Backs Down from Opt-Out Marketing Plan
[2] State AGs Urged to Protect Consumers from Microsoft Passport
[3] EPIC Files FOIA Suit for Profiling Records
[4] FTC Proposes Telemarketing Do-Not-Call List
[5] Policy Forum Debates Face Recognition Technology
[6] Eli Lilly Settles with FTC over Privacy Violation
[7] EPIC Bookstore - Privacy and the Information Age
[8] Upcoming Conferences and Events

[1] Qwest Backs Down from Opt-Out Marketing Plan

Qwest Communications announced on Monday that it is withdrawing itsplan to share private customer information, which was implementedduring the December billing period. Citing numerous customerconcerns, the company has stated that it will wait until the FederalCommunications Commission (FCC) has proposed a final rule on theissue.

This decision followed a nationwide campaign, led by EPIC, to forceQwest to change its policy. EPIC wrote to Qwest President AfshinMohebbi in early January, urging him to suspend the plan to usetelephone-call records for marketing purposes. Others vociferouslyopposed to the company's opt-out policy included Washington StateAttorney General Christine Gregoire, Minnesota Senator Paul Wellstone,
and the Arizona Corporation Commissioners.

Qwest is the first company in the telecom industry to announce that itwill not share private customer account information until the FCC hashad an opportunity to issue new rules on the process. SBC-Ameritechand Verizon -- both of which also implemented opt-out plans in thelast month -- have stated no similar intention of withdrawing theirinformation-sharing plans.

The Telecommunications Act of 1996 required telecommunicationscompanies to obtain customers' approval prior to sharing customerproprietary network information (CPNI), or data collected bytelecommunications corporations about a consumer's telephone calls,
with third parties. EPIC and other privacy advocates and consumerrights groups argued that "approval" implied that a consumer had togive positive, express consent to the sharing of information: that is,
to "opt-in" to the marketing scheme. Telecommunications companiesargued that they could start from a presumption of approval, and allowcustomers the choice to "opt-out" of the marketing program byexplicitly withdrawing their consent. In 1998, the FCC instituted arule requiring that customers "opt-in" to the marketing program forpersonal information contained in their CPNI to be shared or used formarketing purposes.

U.S. West (now Qwest) challenged the FCC rule in the 10th Circuitcourt of appeals, which found that the FCC had failed to provideadequate evidence to establish that the rule furthered a substantialgovernment interest, that it materially advanced such an interest, andthat it was narrowly tailored to serve that interest. In October2001, the FCC initiated a rulemaking procedure on the issue byrequesting comments from all parties to create a more complete record.

EPIC initiated the campaign for opt-in by filing comments and replycomments at the FCC last November. Following Qwest's implementationof an opt-out policy, the FCC announced that it would continue toaccept comments from consumers wishing to express their opinion inthis ongoing debate. Consumers wishing to do so can comment by e-mailat or by regular mail: FCC, 445 12th St. S.W.,
Washington, D.C. 20554, attn: Consumer Information Bureau. ReferenceDocket No. 96-115.

For a history of the CPNI debate, see EPIC's CPNI page:

[2] State AGs Urged to Protect Consumers from Microsoft Passport

EPIC sent a letter today to state attorneys general across the nationurging them to protect citizens from the privacy and security risks ofMicrosoft Passport through the use of state laws against unfair anddeceptive trade practices.

Microsoft Passport is an online identification and authenticationsystem that enables profiling of individuals' browsing, shopping, andcontent consumption behaviors. Microsoft officials have publiclystated that the company's goal is to have every Internet user in thePassport system. Through tying Passport to the Windows XP operatingsystem, and to an ever-increasing number of web site registrations,
Microsoft claims over 200 million Passport accounts.

Microsoft appears to have violated state laws by failing to provideadequate notice of the privacy and security risks raised by Passport.
Additionally, Microsoft likely violated state laws by representingthat Passport gives users control of their data when in reality,
Microsoft has control of user data.

State laws often provide broader consumer protections than federalstatutes. For instance, in California, the protection of privacyagainst government and business interests is an inalienable right thatis embodied in the state Constitution. California has a public policyand mandate to protect consumers. Through interpretation of thismandate, the California Attorney General, or private persons, couldinitiate a lawsuit to protect consumers from Microsoft Passport.

In two previous filings with the Federal Trade Commission (FTC),
fifteen privacy and consumer protection organizations urged theCommission to investigate Microsoft Passport and related services.
Since filing these complaints, there have been numerous securitybreaches in the Passport system; however, the Commission has taken nopublic action to investigate Microsoft.

EPIC's Letter to State Attorneys General:

EPIC's "Sign Out of Passport" Page:

[3] EPIC Files FOIA Suit for Profiling Records

On January 21, EPIC asked a federal court to order the disclosure ofrecords regarding the sale of personal information to law enforcementagencies. Government access to personal data has become morecontroversial since September 11 as anti-terrorism investigativepowers have been expanded. In a complaint filed in federal districtcourt, EPIC charged that the Departments of Justice and Treasury haveviolated the law by failing to respond to a series of Freedom ofInformation Act (FOIA) requests that EPIC has submitted. The FOIArequests sought records relating to "transactions, communications, andcontracts" between law enforcement agencies and private firms that areengaged in the sale of personal information.

The information requests were submitted in response to news reportsthat ChoicePoint, a profiling company, routinely sells personalinformation to federal law enforcement agencies. The requests werefiled with the Federal Bureau of Investigation, the Drug EnforcementAgency, the United States Marshals Service, the Internal RevenueService, the Immigration and Nationalization Service, and the Bureauof Alcohol, Tobacco and Firearms.

"Through the mining of public records and the purchase of creditreporting data, private sector companies are amassing troves ofpersonal information on citizens for the government," said EPICattorney Chris Hoofnagle, who filed the court challenge. "Seriousquestions exist involving citizen access to profiles, their accuracy,
and the potential for misuse of personal information."

Documents obtained by EPIC show that ChoicePoint and Experian, anotherprofiling company, sold the IRS credit header data, property records,
state motor vehicle records, marriage and divorce data, andinternational asset location data. IRS employees have access to thispersonal data from their desktop computers. To facilitate the IRSaccount and access for other law enforcement agencies, ChoicePoint hascreated a federal government web portal at

"ChoicePoint and Experian are selling profiles on citizens with littlepublic awareness or oversight," said Hoofnagle. "We need to askourselves: who is watching the watchers?"

The complaint in EPIC v. Department of Justice, et al. is online at:

EPIC's Consumer Profiling Page:

EPIC's Public Records Profiling Page:

[4] FTC Proposes Telemarketing Do-Not-Call List

On January 22, the Federal Trade Commission (FTC) issued a Notice of aProposed Rulemaking to amend the Telemarketing Sales Rule (TSR). TheRule was issued in August 1995 pursuant to the Telemarketing ConsumerFraud and Abuse Prevention Act of 1994 to protect consumers frominvasive and fraudulent telemarketing practices. It currentlyrestricts telemarketing calls to between the hours of 8:00 a.m. and9:00 p.m., requires telemarketers to identify calls as sales calls,
and prohibits deceptive or false sales pitches. The proposedamendment to the rule would create a national Do-Not-Call (DNC) listfor individuals who wish to avoid sales calls, prohibit the use of"pre-acquired account information" in telemarketing, and prohibittelemarketers from blocking or circumventing Caller-ID systems.

Increased protection for consumers from unwanted or fraudulenttelemarketing was included as a key part of the FTC's new privacyagenda, which was released by Chairman Muris on October 4, 2001 (seeAlert 8.20). The move is supported by privacy and consumer advocateswho point out that Congress clearly intended the creation of anational Do-Not-Call (DNC) list when it passed the Telephone ConsumerProtection Act of 1991. That Act authorized the FederalCommunications Commission (FCC) to issue regulations that would allowindividuals to opt out of telemarketing calls in an efficient mannerand without cost. Congress specifically noted that this "may requirethe establishment and operation of a single national database" oftelephone numbers of individuals who had opted out. The FCC, however,
under pressure from the Direct Marketing Association and otherindustry lobbyists, decided instead to implement a more limited systemwhereby individuals have to opt out of calls on a company-by-companybasis.

The FTC is encouraging the public to comment on the proposed changes.
Written comments will be accepted until March 29, 2002. The FTC willthen hold a public forum to discuss the issues raised during thecomment period. Notice of intention to participate in this event mustalso be submitted before March 29, 2002.

The Notice of Rulemaking is available at:

The current Telemarketing Sales Rule is available at:

For more information on telemarketing, visit EPIC's TelemarketingInformation Page:

and Junkbusters' Telemarketing Information Page:

[5] Policy Forum Debates Face Recognition Technology

The Cato Institute hosted a policy forum entitled "Eye in the Sky andEverywhere Else: Do Biometric Technologies Violate Our Rights?" onJanuary 24, 2002. Forum panelists debated the role that emergingbiometric technologies could play in future society. Frances Zelazny,
Head of Corporate Communications at Visionics, one of the leadingbiometric vendors, saw face recognition technology being used foraccess control, surveillance, background checks, and the creation ofsecure IDs. Zelazny favorably cited the example of Newham, a smallcrime-ridden borough of London, England, where face recognitiontechnology was used in conjunction with a saturation of surveillancecameras to reduce the crime rate. She noted that the success of thesystem depended on the quality of images enrolled in the database, theparticipation of the subjects whose images are being captured, and thethreshold of acceptance for false positive and false negative matches.

Visionics suggests using internal privacy guidelines that include "nomatch, no memory," but seeks responsible public policy to put in placeoversight and audit mechanisms to control the technology. DorothyDenning, professor of computer science at Georgetown University,
reflected more broadly on the potential uses of biometric technology.
She suggested that the use of this technology for authentication andanti-fraud purposes is relatively uncontroversial while its use inidentification and profiling raises important public policy questions.

John Woodward, Jr., Senior Policy Analyst from RAND, echoed Visionics'
call for responsible use of surveillance systems. He argued that boththe up-front deployment of the surveillance system and, moresignificantly, the back-end databases need to be strictly regulatedwith regards to the information they collect and link with.
Pre-September 11, Woodward conceded that the key question confrontingpolicymakers was whether face recognition technology should bedeployed in public. Post-September 11, however, the question is howsuch technology can be used. Woodward believes that face recognitiontechnology can be used effectively to "keep bad people away." He alsoargued that there is no right to privacy in the facial features oneshows in public, and therefore face recognition technology does notimplicate any rights violation.

Marc Rotenberg, Executive Director of EPIC, took a different positionon the rights violated by new surveillance technologies. He arguedthat these systems compel a person's identity in a public place, andthat there is a long tradition in American constitutional law thatprotects people from such coercive action by enforcement authorities(see EPIC's amicus brief in the Watchtower Bible case). Rotenbergdrew a parallel between new surveillance technology and wiretaptechnology in the late 1920s. While surveillance technology is stillin its infancy, he argued that Congress needs to develop laws, as itdid for wiretaps, to limit the indiscriminate and unregulated use ofsuch technology. Face recognition and other biometric identificationtechnologies are "Technologically Assisted Physical Searches" (TAPS),
suggested Rotenberg, and must have similar protections and oversightmechanisms as physical searches have in the law today.

American Bar Association (ABA) TAPS Guidelines:

Issue Paper: Biometrics: Facing Up to Terrorism, by John D. Woodward,

Visonics Privacy Protection Principles:

EPIC Face Recognition Page:

EPIC's Watchtower Bible Amicus Brief (PDF):

[6] Eli Lilly Settles with FTC over Privacy Violation

On January 18, the Federal Trade Commission (FTC) announced asettlement in a case involving Eli Lilly and Company's accidentaldisclosure of the email addresses of 700 subscribers of a mentalhealth information list. The FTC acted in response to a July 2001American Civil Liberties Union (ACLU) complaint highlighting Lilly'snegligence and requesting that the FTC take appropriate action.

This is the first settlement of its kind resulting from negligence.
J. Howard Beales, III, Director of the Bureau of Consumer Protectionat the FTC, emphasized that even an unintentional release of sensitivemedical information is a serious privacy breach. Further, the FTCalleged that claims of privacy and confidentiality found in Lilly'sprivacy policies were deceptive due to Lilly's failure to implement asystem to adequately protect sensitive information.

While the settlement did not involve the exchange of money, it didinvolve a promise on the part of Lilly to take appropriate securitymeasures to protect consumer privacy. Under the settlement, Lilly isspecifically required to designate personnel to coordinate and overseea data protection program, identify risks to the security,
confidentiality, and integrity of personal information, and to addressthese risks in all areas of its operations. Lilly must also conductan annual written review to monitor compliance with the program,
evaluate its effectiveness, and recommend any necessary changes.

In response to the settlement, FTC Commissioner Orson Swindle statedthat "Lilly's responsiveness and its efforts to improve corporateprivacy practices can be a model for others to follow."

The FTC voted 5-0 to accept the proposed settlement, and anannouncement will soon be published in the Federal Register regardingthe proposed consent agreement. The agreement will then be subject topublic comment, after which the Commission will decide whether to makeit final.

The FTC's press release outlining the settlement is available at:

The July 2001 ACLU complaint is available at:

[7] EPIC Bookstore - Privacy and the Information Age

Privacy and the Information Age, by Serge Gutwirth, for the RathenauInstitute. Translated by Raf Casert.

Privacy and the Information Age is an English translation, new for2002, of Serge Gutwirth's 1998 "Privacyvrijheid." In this book,
Gutwirth illustrates his thesis that privacy involves much more thanjust the protection of personal data; it is the fundamentalsafeguarding of an individual's freedom to decide whether he/she wouldlike that data to be known or shared. Drawing on many internationalsources, Gutwirth examines challenges to privacy posed by newtechnologies, ultimately arguing that privacy is central to personalfreedom, and that personal freedom is central to democracy.

EPIC Publications:

"Privacy & Human Rights 2001: An International Survey of Privacy Lawsand Developments," (EPIC 2001). Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

** POSTPONED! ** First Privacy Expo 2001. Privacy & American Businessand Privacy Council. Was November 27-29, 2001; will be rescheduled forFebruary or March 2002. Washington, DC. For more information:

** POSTPONED! ** Eighth Annual National "Managing the NEW PrivacyRevolution" Conference. Privacy & American Business and PrivacyCouncil. Was November 28-29, 2001; will be rescheduled for February orMarch 2002. Washington, DC. For more information:

Second Annual Privacy and Data Security Summit. Privacy OfficersAssociation. January 30-February 1, 2002. Washington, DC. For moreinformation:

The Biometric Consortium Conference. February 13-15, 2002 (rescheduledfrom September 12-14, 2001). Arlington, VA. For more information:

Congressional Briefing on Cybersecurity. Forum on Technology &
Innovation. February 14, 2002. Washington, DC. For more information:

CLA 6th Annual Cyberspace Camp Conference. Computer Law Association.
February 14-16. San Jose, CA. For more information:

Moving to the Forefront of Privacy Management for Bank & FinancialServices Executives. World Research Group. February 26-28, 2002. NewOrleans, LA. For more information:

2nd Annual BNA Summit: Combatting Cyber Attacks on your CorporateData. Bureau of National Affairs. February 27-28, 2002. Washington,
DC. For more information:

Understanding Privacy: New Laws, New Challenges. BC Freedom ofInformation and Privacy Association (FIPA). March 11-12, 2002.
Vancouver, British Columbia, Canada. For more information:

HIPAA Summit West II: The Leading Forum on Healthcare Privacy,
Confidentiality, Data Security, and HIPAA Compliance. March 13-15,
2002. San Francisco, CA. For more information:

Fourth Annual e-ProtectIT Infrastructure Security Conference. NorwichUniversity. March 20-22, 2002. Northfield, Vermont. For moreinformation:

International Symposium on Freedom of Information and Privacy. Officeof the New Zealand Privacy Commissioner. March 28, 2002. Auckland, NewZealand. For more information:

Workshop on Privacy Enhancing Technologies. April 14-15, 2002. SanFrancisco, CA. For more information:

CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy.
April 16-19, 2002. San Francisco, CA. For more information:

2002 IEEE Symposium on Security and Privacy. IEEE and theInternational Association for Cryptologic Research. May 12-15, 2002.
Oakland, CA. For more information:

INET 2002. Internet Society. June 18-21, 2002. Washington, DC. Formore information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:

Subject line: "subscribe" or "unsubscribe"

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription email address, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.02


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback