WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 15

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.15 [2003] EPICAlert 15


Volume 10.15 July 22, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Senate Requires Reporting For CAPPS II; Extends TIA Moratorium
[2] EPIC Testifies on Credit Reporting Privacy, Inaccuracy
[3] First HIPAA Privacy Enforcement Details Reported
[4] U.S. Park Police Releases Video Surveillance Policy
[5] RFID PR Revealed; Wal-Mart Cancels Major RFID Effort
[6] EPIC Testifies on Use and Misuse of the Social Security Number
[7] EPIC Bookstore: "Censorship Inc."

[8] Upcoming Conferences and Events

[1] Senate Requires Reporting For CAPPS II; Extends TIA Moratorium

On July 10, the Senate voted to withhold funding for the ComputerAssisted Passenger Prescreening System (CAPPS II) until theTransportation Security Administration (TSA) provides more informationabout procedural and technological safeguards in the program. Theprovision is included in the Senate version of the Homeland Securityappropriations bill.

CAPPS II would allow the government to evaluate the security threat anindividual poses by analyzing personal information about that person.
Information could be collected from credit reports, public records,
and criminal records, among other sources. Passengers labeled a highthreat would not be permitted to fly.

The Senate version of the bill prohibits the TSA from using anyfunding from the Act "for testing (other than simulations),
deployment, or implementation of [CAPPS II]." The Senate prohibitionwould remain in effect until the TSA reports to the GovernmentAccounting Office and Congress on the status of the following aspectsof the program: any system of due process for correcting erroneousinformation; the error rate of the system; evidence of "efficiency andaccuracy"; an internal board to oversee development; safeguardsagainst abuse; safeguards against hackers; policies providingeffective oversight of the implementation of the program; and absenceof any privacy concerns with the technology employed.

The House version of the spending bill contains no specific referenceto CAPPS II; a conference committee must reconcile the two versions.

The Senate has also voted to suspend funding for the equallycontroversial Terrorism Information Awareness (TIA) program as part ofthe Department of Defense appropriations bill. TIA is intended tocapture every person's "information signature" through the collectionand compilation of records regarding their activities. With vastdatabases of information signatures, the government would usealgorithms to track potential terrorists and criminals.

While the Senate version of the spending bill would provide nofunding for TIA, the House version instead would ban the use of suchtechnology on U.S. citizens without congressional authorization. Aconference committee will work out the differences between the Senateand House versions of the spending bill.

The Senate version of the Homeland Security appropriations bill isavailable at:

More information about CAPPS II is available at EPIC's Air TravelPrivacy Page:

More information on Terrorism Information Awareness is available atEPIC's TIA Page:

[2] EPIC Testifies on Credit Reporting Privacy, Inaccuracy

On July 9, the House Committee on Financial Services held an extensivehearing on H.R. 2622, the Fair and Accurate Credit Transactions Act(FACT Act). EPIC Deputy Counsel Chris Hoofnagle was among thewitnesses who testified at the hearing.

EPIC's testimony focused on preserving state legislative andenforcement authority in credit regulation. Hoofnagle argued thatstates have historically enacted the best privacy protection, andtreating the FCRA as a federal ceiling is an aberration. As"laboratories of Democracy," states are in an advantageous position tocreate innovative privacy protections, and they are better situatedthan Congress to quickly address problems. An additional area offocus was affiliate sharing, as large banks can now exploitinformation inside their "corporate families." Because affiliatesharing allows financial institutions to share personal informationabout their customers without restrictions, it directly increases riskof identity theft and fraudulent marketing.

Consumer advocate Stephen Brobeck of the Consumer Federation ofAmerica also argued that the bill does not adequately address themajor problems in credit reporting, such as the mismerged file thatoccurs when two individuals files are combined into one report.
William Springs of the National Urban League and Hillary Shelton ofthe NAACP also testified on behalf of consumers. Mr. Shelton arguedthat, under the current credit scoring system, minorities in alleconomic categories are disproportionately targeted with predatory andsub-prime lending.

In a separate letter to the Senate Banking Committee, EPIC presentedevidence that systemic inadequacies at the Credit Reporting Agencies(CRAs) contribute to inaccuracy and consumer frustration. Forinstance, at one CRA, representatives are required to complete 100consumer inquiries a day, giving them just four minutes per inquiry.
The letter urges Congress to give consumers free and complete accessto their reports.

EPIC's Testimony on H.R. 2622 is available at:

EPIC's Letter on CRA Inaccuracy is available at:

[3] First HIPAA Privacy Enforcement Details Reported

Three months after the Health Insurance Portability and AccountabilityAct (HIPAA) Privacy Rule became effective, the first updates onenforcement activities reflect the law's early implementationdifficulties.

On June 24, the Office for Civil Rights (OCR), which is responsiblefor the enforcement of the Privacy Rule within the Department ofHealth and Human Services, provided an update to the NationalCommittee on Vital and Health Statistics (NCVHS), a public advisorybody to the Secretary of Health and Human Services. StephanieKaminsky of OCR testified that the office received 637 complaintsprior to the hearing date. Of those, OCR had closed 124 cases and 513remained open. A total of 260 cases were accepted for investigationafter OCR determined that the complaint dealt with an issue, timeframe and entity over which OCR has proper jurisdiction. No caseshave been referred to the Justice Department for criminal prosecution.
Complaints to the OCR have raised such issues as the inability ofindividuals to access their information, inadequate safeguards forhealth information, deficient provision of Notice of PrivacyPractices, and insufficient minimum necessary procedures to limitdisclosure in provider offices and facilities.

OCR has repeatedly stated that its enforcement goals are to promotevoluntary compliance within the health care sector and to handle mostcomplaints by providing technical assistance to the entity involved.
Despite assurances that such assistance will be the primary means ofenforcement, many health care organizations have become wary aboutdisclosing information when civil and criminal penalties might follow.
In an early July congressional briefing sponsored by the HealthcareLeadership Council, some organizations stated that they are delayingthe use of e-mail and other communication technologies fortransmitting information to patients. The delays are apparentlycaused by the need to have appropriate verification procedures andencryption in place to ensure that the information does not go astray.

Privacy Rule compliance and enforcement will remain prominent issuesover the next year as OCR refines the substantive portion of theEnforcement Rule. The interim procedural Rule is set to expire inSeptember 2004.

Office for Civil Rights in the Department of Health and HumanServices:

National Committee on Vital and Health Statistics:

For more information, see EPIC's Medical Privacy Page at:

[4] U.S. Park Police Releases Video Surveillance Policy

The U.S. Park Police (USPP) recently released guidelines on the use ofits video surveillance system in Washington, DC. The policy wasformulated in response to critiques by Congress and the DC CityCouncil more than a year ago that the USPP was not forthcoming aboutits use of video cameras, and should make public a policy on itscamera surveillance of Monumental Core of the nation's capital. Formore than a year, the USPP has been constantly monitoring federalpublic spaces with undisclosed cameras without notifying the public,
with few privacy safeguards in place and with little public oversight.

Last year the Metropolitan Police Department of the District ofColumbia (MPDC) was also urged by Congress, the DC City Council andcivil liberties groups to establish a video surveillance policy thatwould address privacy and freedom of speech concerns after the MPDCinstalled cameras without notifying the public or obtaining budgetapproval. Although the USPP's current guidelines constitute a goodstarting point, they are generally more invasive than the MPDC'sguidelines, providing for 24-hour, seven-day-a-week surveillance, andretention of records for six months. The USPP guidelines are lessdetailed than those implemented by the MPDC and do not provide for anyeffective oversight and accountability mechanisms. The USPPguidelines also do not exclude later use of face recognitiontechnologies.

Furthermore, the USPP guidelines are based on the assumption thatvideo surveillance is effective to detect and prevent terroristattacks, as well as deter criminal activity -- a claim which has neverbeen proved to be true. In fact, a reference meta-study conducted onthe effectiveness of law enforcement use of video surveillance in theUnited Kingdom and the United States clearly shows no strong evidencethat cameras in center city and residential areas deter criminals oroffer any value as a crime-fighting tool. Further, the UnitedKingdom, which originally justified the installation of video camerasin response to a terrorism threat, has never caught a singleterrorist, even after installing more than 1,500,000 camerasthroughout the country during the last ten years.

A recent report from the General Accounting Office questions thesecret surveillance by the Park Police and points to the USPP's lackof public transparency and openness. The USPP's guidelines aresubject to public comments.

USPP's CCTV Policy (June 2003) is available at:

EPIC's Video Surveillance Page is available at:

The UK government study on law enforcement use of video surveillanceis available at:

The General Accounting Office's recent report on video surveillance isavailable at:

[5] RFID PR Revealed; Wal-Mart Cancels Major RFID Effort

Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN)
recently located internal public relations documents detailing howRadio Frequency Identification (RFID) developers plan to offset publicopposition to the widespread implantation of the tracking devices inconsumer products. The documents, prepared by Fleishman-Hillard, apublic relations consultancy, detail how such a campaign may unfold.
First, the documents outline the obstacles that hinder widespreadimplementation of RFID technology, including the desire of consumersto protect their privacy and cynicism about public and private sectorconcern for consumer privacy. The documents cite the need for thedevelopment of a proactive plan that would "neutralize opposition" and"mitigate possible public backlash." One proposed method of doing sois through the creation of a Privacy Advisory Council made up of "wellknown, credible, and credentialed experts" who may be "potentiallyadversarial advocates." The documents cite EPIC as an example of apotential council member.

In related news, retail giant Wal-Mart announced on July 9 that it isshelving plans to tag consumer products with RFID chips, after it hadurged 100 of its top suppliers to begin tagging products by 2005.
Wal-Mart had joined forces with Gillette to develop a "smart-shelf"
system, where shelves outfitted with RFID readers would track Gilletteproducts. The RFID sensors would alert a store manager when inventoryran low or a high-theft item was removed from the shelf. A Wal-Martspokesperson said the smart-shelf system, expected to launch at astore in Brockton, MA, was never fully installed, and materials fromthe project have been removed.

Although Wal-Mart says the move simply reflects a corporate decisionto implement RFID technology in warehouses and distribution centersinstead of retail stores, concerns about the misuse of data gleanedfrom the tracking devices have prompted a public outcry against thetechnology. Wal-Mart is not the only corporation to forego implantingconsumer products with RFID tags in the wake of public pressure.
Italian clothier Benetton halted plans to tag its apparel afterprivacy advocates called for a worldwide boycott of the company'sproducts.

RFID systems enable data to be transmitted by a portable device,
called a tag, which is read by an RFID reader and processed accordingto the needs of a particular application. The data transmitted by thetag may provide identification or location information, or specificsabout the product tagged, such as price, color, date of purchase, etc.
Chips integrated into commonplace products such as floor tiles, shelfpaper, cabinets, appliance, exercise equipment, and grocery andpackaged products would allow even our most intimate activities to bemonitored. Many technology experts already predict the development ofa seamless network of millions of RFID receivers strategically placedaround the globe in airports, seaports, highways, distributioncenters, warehouses, retail stores, and consumers' homes, all of whichare constantly reading, processing, and evaluating consumers'
behaviors and purchases.

Consumers Against Supermarket Privacy Invasion and Numbering(CASPIAN):

RFID Developers Internal Public Relations Documents are available at:

EPIC's RFID Page is available at:

[6] EPIC Testifies on Use and Misuse of the Social Security Number

On July 10, the House Subcommittee on Social Security of the Committeeon Ways and Means held a hearing on the need to prevent SocialSecurity Number (SSN) misuse. Led by Chairman E. Clay Shaw, Jr.
(R-FL), the hearing focused on the widespread use and misuse of SSNsin the public and private sectors. Chairman Shaw announced that thecommittee would be introducing new legislation shortly addressing avariety of SSN issues. The hearing also examined legislativeproposals aimed at combating SSN misuse and protecting privacy, aswell as the potential ramifications of these proposals on businesses,
consumers, and the government.

In his testimony, EPIC Deputy Counsel Chris Jay Hoofnagle reviewedhistorical and recent attempts to regulate the use of the SSN. Statingthat there is ample legislative and judicial support for imposinglimitations on the collection and use of the SSN, Hoofnagle assertedthat consumers are often forced to reveal their SSNs to obtain goodsand services, a practice called "coercive disclosure." Hoofnagle thendescribed trends involving the SSN, including the statistical rise inidentity theft complaints, the increasing occurrence of large-scaleidentity thefts, and the frequent use of the SSN in the privatesector. He argued that the SSN use regulation is the key topreventing identify theft.

Hoofnagle recommended that the Committee consider the Social SecurityNumber Privacy and Identity Theft Protection Act of 2001, 107 H.R.
2036, a guide to limiting the use of the SSN.

Other panelists included Barbara Bovbjerg, the Associate Director ofthe General Accounting Office; James G. Huse, Jr., the InspectorGeneral of the Social Security Administration; Theodore Wern of theIdentity Theft Resource Center, and Steve Edwards of the GeorgiaBureau of Investigations.

Bovbjerg testified on the public and private sector use of the SSN,
and explained how easy it is to obtain false identification throughthe SSN by citing a study in which the GAO acquired a false statedriver's license and a false social security card. Bovbjerg alsoemphasized the fact that replacement SSN cards are easily obtained andcan be sold. Congressman Becerra discussed the possibility ofthird-party verification of personally identifying documents such asthe social security card and the driver's license to protect againstfraudulent documents. Inspector General Huse encouraged limiting theavailability of the SSN on public documents, and stressed that the useof the SSN as a personal identifier for the private sector isunnecessary (an idea that proved to be a recurring theme throughoutthe hearing). Wern testified on various forms of identity theft hehas seen through his resource center, focusing on the theft ofchildren's identities and those of military personnel. Wern arguedthat the SSN is the "golden piece of information" for identitythieves, and with a name and birth date, one can easily destroy anindividual's credit.

EPIC's Testimony on SSN Misuse is available at:

July 10 Ways and Means Hearing on Use and Misuse of SSN:

[7] EPIC Bookstore: "Censorship Inc."

Lawrence Soley, Censorship Inc., The Corporate Threat to Free Speechin the United States (Monthly Review Press 2002).

In his review of First Amendment cases, Lawrence Soley argues that theSupreme Court has created a broad bundle of free speech rights againstgovernment suppression of expression. Now lawmakers and the courtsshould turn to the private sector to grant limited First Amendmentprotections against business censorship. He catalogs the broad arrayof censorial powers possessed by private entities -- including productdefamation lawsuits, massive retailers that ban books and music fromstores, and the lack of expressive rights at properties open to andsubsidized by the public. "Because such tactics are widely used torestrict speech," Soley argues, "businesses now pose a greater threatto free speech than government."

We live in a world with increasingly powerful private entities, onesthat operate our meeting places and communities. For instance,
today's equivalent of the Forum is the modern shopping mall. But mostmall operators do not allow free speech, and courts in most statesdon't require it. Further, mall owners can surround their buildingswith massive parking lots, insulating the shopper from the possibilityof being exposed to the inconvenient ideas presented by protestors.
We should consider whether we have lost something as a society whenour principal meeting places are insulated from all messages exceptthe commercial.

Soley gives special attention to the censorial efforts of theadvertising industry. He introduces the topic with a quote fromlegendary journalist and editor George Seldes. I've never heard amedia lawyer ever utter his name, but he should be on our mindsbecause he accepted no advertising and, as a result, was free to fullycover the misdeeds of big business and tobacco long beforead-dependent mass media could. Soley shows that large advertiserseffectively place prior restraints on content by pulling accountswhere publications even mentioned cancer, spoke of the availability ofnon-smoking flights, or covered homosexual lifestyles. Revlon evenpulled advertising in an issue of one magazine because the cover borethe faces of women sans makeup. Addressing these issues is difficultbecause the modern newspaper now contains more advertising than news,
and derives its profits from advertising rather than subscriptions.

Nevertheless, we could have a freer future with limited FirstAmendment protections against private actors. Soley's book pushes usin that direction, towards greater employee rights, free expressionfor artists and musicians, and for political organizing.

Chris Jay Hoofnagle

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunkand Science Fiction. August 11-13, 2003. Prague, Czech Republic.
For more information:

Chaos Communication Camp 2003: The International Hacker Open AirGathering. Chaos Computer Club. August 7-10, 2003. Paulshof,
Altlandsberg, Germany. For more information:

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and theDepartment of Information Systems and Technology, University ofDurban-Westville. September 10-12, 2003. Durban, South Africa. Formore information:

Making Intelligence Accountable, Oslo, Norway September 19-20, 2003.
The Geneva Centre for the Democratic Control of Armed Forces. Formore information:

Privacy2003. Technology Policy Group. September 30-October 2, 2003.
Columbus, OH. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Problems or questions? e-mail < >

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.15


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback