WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 10

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.10 [2003] EPICAlert 10


Volume 10.10 May 23, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Pentagon Submits Report on Info Awareness Project
[2] EPIC Testifies at Senate Spam Hearing
[3] Justice Department Reports on PATRIOT Act Implementation
[4] FTC Workshop on Technologies for Protecting Personal Information
[5] EPIC Obtains ChoicePoint Documents in FOIA Suit
[6] News in Brief
[7] EPIC Bookstore: Invisible Punishment
[8] Upcoming Conferences and Events

[1] Pentagon Submits Report on Info Awareness Project

On May 20, the Pentagon's Defense Advanced Research Projects Agency(DARPA) submitted its congressionally-mandated report on the TotalInformation Awareness Program (TIA), now re-named the "Terrorism"
Information Awareness Program. The name change, according to DARPA,
was necessary because the original name "created in some minds theimpression that TIA was a system to be used for developing dossiers onU.S. citizens."

Congress required DARPA to provide responses to five questions.
First, a detailed accounting of the funds, proposed expenditure plans,
and target dates for deployment; second, an analysis discussing thelikely efficacy of the surveillance program; third, an analysis of thelikely impact on privacy and civil liberties; fourth, an accounting ofthe current laws that would govern information being sought by TIA andany modifications to the laws that TIA might require; and finally,
Congress asked for recommendations, endorsed by the Attorney General,
for practices, procedures, and regulations to eliminate or minimizeadverse effects on privacy and other civil liberties.

DARPA's report describes the program's goals and budget information,
its efforts to develop protections for the data it plans to collect,
and an explanation of how it intends to comply with U.S. laws. Thereport reveals that DARPA is building a prototype for the Army'sIntelligence and Security Command (INSCOM) for the InformationDominance Center (re-named Information Operations Center). Inaddition, the report discloses more information about projects such as"Scalable Social Network Analysis," "Activity Recognition andMonitoring," and "Next-Generation Face Technology" that has not beenpublicly reported.

The Information Awareness Office, whose mission is described asdeveloping technologies to "counter asymmetric threats by achievingtotal information awareness," is pursuing the development of fourdifferent categories of technologies. First the umbrella program, theInformation Awareness prototype; second, tools for collaboration anddecision support; third, language translation programs; and fourth,
data storage, mining and information classification technologies.

In response to questions about the legal restrictions surrounding thecollection of data for the information awareness program, DARPA statesthat it will only use information that is legally obtainable by theFederal government. This includes information available tointelligence agencies. The report does not discuss the role of thejudicial branch or the legislative branch in limiting or overseeingexecutive branch powers. The report also suggests that Pentagonofficials view privacy as a question of developing appropriateclassification of information and authorization for governmentofficials. This is in contrast to genuine privacy protections, suchas the Fair Information Practices embodied in the Privacy Act, whichlimits the collection of information and provides opportunities foraccess and correction of records to provide due process rights toindividuals.

The public report provides an opportunity for more informed publicdebate over the TIA program and its goals. EPIC has made availableTIA contractor documents it obtained under the Freedom of InformationAct to enable greater public oversight of the surveillance program.
Congress will need to determine if DARPA has fully answered thequestions required by law. It must also determine whether theoperational deployment of information awareness technology in theArmy's INSCOM is permitted under restrictions preventing thetechnology from being deployed against U.S. persons without explicitCongressional approval.

The DARPA report on TIA is available at:

EPIC's Total Information Awareness Page:

[2] EPIC Testifies at Senate Spam Hearing

The Senate Commerce Committee explored Unsolicited Commercial Email,
or "spam," at a hearing on May 21. EPIC Executive Director MarcRotenberg testified on the need for strong, effective measures toreduce spam. Other panelists included FTC Commissioners Orson Swindleand Mozelle Thompson, AOL Vice Chairman Ted Leonsis, the CEO ofBrightmail, a leading anti-spam company, a representative from theNetwork Advertising Initiative, and Ronnie Scelson, a spammer. EPIC'stestimony argued in favor of "opt-in" mailing lists, a private rightof action for consumers, and freedom for states to pursue spammers,
combined with technical measures and international cooperation.

Rotenberg noted that spam is increasing rapidly and threatens to chokeemail communications, but that it is a complex problem to solve.
Legislation alone will not stop spam, but could play an importantrole. A multi-tiered approach that includes aggressive enforcement,
better technology for identifying and filtering spam, and cooperationat the state and international level would all be necessary. TheTransatlantic Consumer Dialogue (TACD) has called for internationalcooperation in helping consumers fight unsolicited commercialmessages. He pointed out that legislative responses to the spamproblem might set precedents for other emerging communications mediawhere unsolicited commercial messages are sent to consumers.

Rotenberg argued that technical solutions such as filtering tools orthe blocking of incoming emails may not be sufficient. Filters orblocking tools would be either ineffective or might overblockimportant messages from friends or business. Solutions must also besensitive to the constitutional implications; a requirement forinstance, to identify the sender of non-commercial messages would beunconstitutional.

FTC Commissioner Thompson told the committee that legislation wasneeded, while Commissioner Swindle argued that technological solutionswould provide a better fix. They agreed to provide the committee witha set of policy recommendations within 45 days based on informationfrom the FTC's recent Spam Forum. AOL's Leonsis argued in favor offederal legislation that would assist AOL's efforts to combat spam.
The Network Advertising Initiative supported strong legislation toprohibit deception and fraud through spam, but opposed legislationrequiring companies to obtain opt-in consent before sendingunsolicited commercial messages. They also seek federal preemption ofstate laws. The most colorful witness, Scelson, who is a selfidentified spammer, made a commercial free speech defense of hisactivities. He accused AOL and other Internet Service Providers ofspamming their own members and entering contracts with spammers whoagreed to pay a higher price to reach the ISPs' users.

EPIC's testimony is available at:

Senate Commerce Committee witness list and testimony:

[3] Justice Department Reports on PATRIOT Act Implementation

The Justice Department has released a sixty-page report that providesfresh insights into its use of the USA PATRIOT Act surveillancepowers. The report responds to a series of critical questions posed bythe House Judiciary Committee that sought to understand what thedepartment was doing to fight terrorism and protect civil liberties.
The report describes the operational changes initiated by the newAttorney General Guidelines and the Foreign Intelligence SurveillanceReview Court opinion that brought down the "wall" between intelligenceand law enforcement. Additionally, the report provides information ondata-mining activities currently underway at the department and DOJ'sassistance in the development of the airline passenger profilingprogram. Finally, DOJ classified sections of the report addressingits foreign intelligence guidelines under Executive Order 12333 andhow it conducted three successive "sweeps" of Arab American and SouthAsian communities since September 11.

The report attempts to play down the government's use of the newpowers, while at the same time showing that they have been crucial indisrupting terrorist plots. The examples used to illustrate the useof the new authorities are in many cases unrelated to terrorism, suchas credit card fraud, kidnapping, drugs, and theft. The reportprovides some new statistics on the use of delayed notificationsearches and seizures under Section 213 of the PATRIOT Act.

The report discloses that following the FISA Review Court'sendorsement of the Attorney General's new Guidelines that weakened the"wall" between intelligence and criminal investigations, criminalprosecutors are reviewing 4,500 intelligence files for evidence orinformation for use in criminal cases. The department notes thatcriminal investigations and immigration enforcement are "keypreventative tools" for counter terrorism and that informationobtained through the FISA is being used for those purposes. Thereport also discusses FISA procedures, training programs and fieldguidelines. Information on the department's use of other surveillancetechniques under sections 204, 206, 214, and 215 are being provided tothe Committee in classified form.

The report attempts to explain how the new Attorney General'sGuidelines allowing FBI access to publicly available information andpublic spaces, including mosques, has worked in practice. It alsodiscusses the Secure Counterterrorism Operational PrototypeEnvironment (SCOPE) and Investigative Data Warehouse, which are theFBI's attempts to develop specialized tools to "identify and presenthidden relationships" in the data. The data sources for data-miningand pattern recognition include commercial data from ChoicePoint andiMap, federal government data, and intelligence data. DOJacknowledges that the use of data-mining must comply with the PrivacyAct and asserts that it provides access to data stored by the JusticeDepartment. The department also disclosed the Computer AssistedPassenger Pre-Screening Program, if implemented, proposes to use theViolent Gang Terrorist Organization File (VGTOF) to screen airlinepassengers.

The Justice Department report is available at:

EPIC's Attorney General's Guidelines Page:

[4] FTC Workshop on Technologies for Protecting Personal Information

On May 14, the Federal Trade Commission (FTC) explored "Technologiesfor Protecting Personal Information: The Consumer Experience" as partof a public workshop on role of technology for consumer privacyprotection.

During the workshop, the FTC considered consumer tools for managingthe collection and use of personal information. EPIC commented thatthe starting point for such a discussion is a clear understanding ofwhat is meant by privacy enhancing technologies (PETs). PETs aretechnologies or tools that eliminate or minimize the collection ofpersonally identifiable information. Individuals commonly use PETs inthe physical world. Cash, for instance, enables us to purchase itemsand services without transferring any personally identifiableinformation. Digital cash could function in a similar way.

After providing a number of examples of tools that genuinely advanceprivacy, EPIC noted several common characteristics to them. Forexample, all genuine PETs:

* limit the collection of personally identifiable information;
* enable commerce and communication;
* do not facilitate the collection of personal information;
* do not force Internet users to trade privacy for convenience; and * do not treat privacy as a business commodity.

These are all desirable characteristics that genuinely advance privacyand promote transactional activity in the online environment.

For more information on the workshop, see:

[5] EPIC Obtains ChoicePoint Documents in FOIA Suit

Documents obtained under a Freedom of Information Act (FOIA) lawsuitprovide more insight into how law enforcement and counterintelligenceagents are using private-sector databases to obtain personalinformation. Much of the material concerns ChoicePoint, one of thelargest data-vending firms. The documents were heavily redacted bythe FBI, which excised "ChoicePoint information," even when theinformation appeared in news stories collected by the agency.

An FBI memorandum titled "Guidance Regarding the Use of ChoicePointfor Foreign Intelligence Collection or Foreign CounterterrorismInvestigations" analyzes law enforcement use of ChoicePoint in thecontext of federal privacy laws and the Attorney General's Guidelines.
The memorandum rationalizes use of private-sector databases as the"least intrusive means" of collecting personal information andconcludes that ChoicePoint can be used for foreign intelligence andcounterintelligence investigations.

A presentation titled "The FBI's Public-Source Information ProgramFact Versus Fiction" highlights the agency's access to propertyrecords, professional licenses, news articles, driver and DMV records,
census records, and credit headers. It lists ChoicePoint, Westlaw,
Lexis Nexis, Dun and Bradstreet, and credit reporting agencies assources for this information. Reliance on these databases hasincreased by 9600 percent since 1992, according to the presentation.
However, one unnamed credit reporting agency is no longer sellingcredit header information to law enforcement.

Unrelated documents filed in a federal lawsuit in the NorthernDistrict of Georgia indicate that ChoicePoint is constructing a"Central Biometric Authority." According to the complaint filed byInternational Biometric Group and ChoicePoint's answer, the centralbiometric authority is intended to perform "secure and standardizedacquisition, matching, and indexing of biometric data." Thisbiometrics database appears to be in development for ChoicePoint'sexpanding employee and volunteer background check services.

FBI Guidance on Use of ChoicePoint:

FBI Presentation on Public Source Information:

Complaint in International Biometric Group v. ChoicePoint:

Answer in International Biometric Group v. ChoicePoint:

[6] News in Brief

Microsoft Passport Flaw Discovered
A computer researcher in Pakistan found a new flaw in MicrosoftPassport that could expose personal information, including credit cardnumbers, for 200 million Internet users. In July and August 2001,
EPIC and a coalition of consumer advocacy groups filed detailedcomplaints with the Federal Trade Commission (FTC) concerning theprivacy risks associated with the Passport identification andauthentication system. The FTC found that Microsoft's representationsabout Passport constituted unfair and deceptive trade practices andsettled the action against Microsoft. The agreement requires thatMicrosoft establish a comprehensive information security program forPassport, and that it must not misrepresent its practices ofinformation collection and usage.

EPIC's Passport Page:

Senate Holds First Fair Credit Reporting Hearing
The Senate Banking Committee began the first of a series of hearingsto determine whether states should be able to enact laws that providegreater consumer protection than federal law. The hearing was heldbecause one portion of the Fair Credit Reporting Act relating topreemption of state laws will expire on January 1, 2004, thus pavingthe way for states to experiment with different approaches to creditlaw. The sole witness before the committee was Howard Beales,
Director of the FTC's Bureau of Consumer Protection. While the FTChas not taken a position on preemption, the agency did describe threeimportant ways in which credit reporting has changed. First, moretypes of businesses are using credit reports. Second, there is agreater reliance on prescreening, unsolicited offers of credit orinsurance that are targeted to certain individuals based on theircredit reports. Last, many businesses are now using credit reportsfor risk-based pricing for products and services.

FTC Testimony:

EPIC Preemption Watch Page:

U.S. To Require Biometrics in Visas and Passports
Pursuant to the Homeland Security Act of 2002 the Department ofHomeland Security will introduce the US-VISIT (United States Visitorand Immigrant Status Indicator Technology) program by the end of 2004.
The program collects, maintains and shares information, includingbiometric identifiers on foreign nationals. The system is designed toscan travel documents, take fingerprints and pictures of foreignnationals to check them against government databases. Other biometricidentifiers, such as facial recognition and iris scan, are likely tobe introduced by 2005.

Citizens of nations that participate in the Visa Waiver Program willbe asked either to show a national passport that contains biometricdata (fingerprint) or they will be excluded from the waiver programand have to apply for visa. The database that will be created underthe US-VISIT program will store all data for an unspecified length oftime and will be shared across all law enforcement agencies.

U.S. VISIT Program Fact Sheet:

[7] EPIC Bookstore: Invisible Punishment

Invisible Punishment; The Collateral Consequences of MassImprisonment, The New Press, ISBN 1-56584-726-1

On any given day in America's capital over 10 percent ofAfrican-American men between the ages of eighteen and thirty-five arein prison, and over half are under some form of correctionalsupervision. Under current conditions, well over 75 percent ofAfrican-American men in the District of Columbia can expect to beincarcerated at some time in their lives. Nationwide a million peopleare convicted of felony crimes each year; 450,000 of them aresentenced to prison. Incarceration is the predominant mode of crimecontrol in the United States, as the country follows what appears tobe a social policy of mass imprisonment.

"Invisible Punishment" is a fascinating new book from the SentencingProject, a public interest organization that promotes criminal justicereform and chronicles how the unprecedented expansion of the prisonsystem over three decades has also brought with it a complex networkof "invisible punishments" affecting families and communitiesnationwide. Federal and state governments impose collateralpunishments for crimes that include denying voting rights, welfarebenefits, public housing, social security benefits, and creatingregistration laws. Private employers have followed suit byincreasingly relying on fingerprinting and background checks foremployment decisions. As one of the author's argues, "In the modernwelfare state, these restrictions of the universe of social andwelfare rights amount to a variant on the tradition of 'civil death'
in which the offender is defined as unworthy of the benefits ofsociety, and is excluded from the social compact."

The prison policy has a disproportionate impact on minorities andraises fundamental questions of justice, fairness, and access toresources. In 1980, 40,000 people were in prison for drug possession.
Today, because of the War on Drugs, there are a half million people inprison on drug charges. The result of the mass imprisonment policy isthe creation of a large population of felons, concentrated in poor,
minority communities, who are "marked" and "monitored" and cut offfrom the supports of modern society. The authors warn us that, "Weare creating deeper and longer-lasting distinctions between 'us' and'them.'" And, of course such a policy produces further inequality byreinforcing the cycle of diminished expectations for the nextgeneration.

Technologies of identification, record storage and data linkage createthe conditions for invisible punishment to flourish. David Burnham'sprescient book, "The Rise of the Computer State," discussed theseproblems in 1980. Current information technology, including newsurveillance programs, coupled with the increasing reliance on privatesector database operators such as ChoicePoint that are not accountableto the public, only exacerbate the problem. "Invisible Punishment"
challenges us to consider how these practices of exclusion operatethrough technology and what we must do to fix our systems to make oursociety more fair and just.

- Mihir Kshirsagar

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Workshop on Compliance with European Union Data ProtectionRequirements. June 2, 2003. U.S. Department of Commerce, TRUSTe andOracle Corporation. Oracle Conference Center, 350 Oracle Parkway,
Redwood Shores, CA.

Technologies for Protecting Personal Information. Federal TradeCommission. Workshop 1: The Consumer Experience. May 14, 2003.
Workshop 2: The Business Experience. June 4, 2003. Washington, DC. Formore information:

ITS-2003: Third International Conference on "Information Technologiesand Security."

June 23-27, 2003. Partenit, Crimea, Ukraine. For more information:

Press Freedom on the Internet. The World Press Freedom Committee. June26-28, 2003. New York, NY.

Building the Information Commonwealth: Information Technologies andProspects for Development of Civil Society Institutions in theCountries of the Commonwealth of Independent States.
Interparliamentary Assembly of the Member States of the Commonwealthof Independent States (IPA). June 30-July 2, 2003. St. Petersburg,
Russia. For more information:

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. Formore information:

1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunkand Science Fiction. August 11-13, 2003. Prague, Czech Republic. Formore information:

Integrating Privacy Into Your Overall Business Strategy: Complyingwith Privacy Legislation for Competitive Advantage. InternationalQuality and Productivity Centre (IQPC Canada). July 9-10, 2003.
Toronto, Canada. For more information:

Chaos Communication Camp 2003: The International Hacker Open AirGathering. Chaos Computer Club. August 7-10, 2003. Paulshof,
Altlandsberg, Germany. For more information:

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and theDepartment of Information Systems and Technology, University ofDurban-Westville. September 10-12, 2003. Durban, South Africa. Formore information:

Making Intelligence Accountable, Oslo, Norway September 19-20, 2003.
The Geneva Centre for the Democratic Control of Armed Forces. For moreinformation:

Privacy2003. Technology Policy Group. September 30-October 2, 2003.
Columbus, OH. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:
Subscribe/unsubscribe via e-mail:

To: Subject: "subscribe" or"unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

To: Subject: "help" (no quotes)

Problems or questions? e-mail <

Back issues are available at: The EPICAlert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail , or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.10


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback