WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 16

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.16 [2003] EPICAlert 16


Volume 10.16 August 6, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] TSA Issues CAPPS II Notice; Expands System
[2] Data Privacy Bill Introduced; Admiral Poindexter To Resign
[3] Bill Introduced to Reverse PATRIOT Act Provisions
[4] GAO Privacy Act Report Indicates Need for Better Compliance
[5] Researchers Find Flaws in Electronic Voting
[6] News in Brief
[7] EPIC Bookstore: Secure Coding: Principles & Practices
[8] Upcoming Conferences

[1] TSA Issues CAPPS II Notice; Expands System

The Transportation Security Administration (TSA) has released asupplementary Privacy Act notice outlining its plans to administer theEnhanced Computer Assisted Passenger Profiling System (CAPPS II). Theagency claims that CAPPS II will enhance transportation security byrelying upon private-sector database companies to identify passengers,
and a set of secret procedures to perform a risk assessment ontravelers. Passengers will be assigned a risk score by CAPPS thatcould subject them to heightened security screening or detention.

The notice is more specific about the TSA's planned collection, use,
and storage of personal information than an earlier release in January2003, but fundamental privacy problems with CAPPS remain. The systemestablishes a government checkpoint on almost all commercial aviationthat could be extended to other forms of transportation, or even tosecurity at government buildings.

In a significant expansion of the program, TSA announced that CAPPS IIwill not only scan for suspected terrorists, but also for those wantedfor violent crimes.

The notice announces TSA's plans to allow a "passenger advocate" toprovide access to information in CAPPS, along with an appeals processto address errors. However, the notice exempts CAPPS II from a numberof Privacy Act requirements, including duties to grant access topersonal information, duties to make an accounting of disclosures ofpersonal information, provisions that limit the scope of informationthat can be maintained by the agency, and accountability provisionsthat apply criminal penalties for misuse of personal information.

Any member of the public can comment on the CAPPS II notice untilSeptember 30, 2003.

The TSA CAPPS II Notice is available at:

More information about CAPPS II and air travel privacy is available atEPIC's Air Travel Privacy Page:

[2] Data Privacy Bill Introduced; Admiral Poindexter To Resign

Senator Ron Wyden (D-OR) has introduced S. 1484, the Citizens'
Protection in Federal Databases Act. The bill would require theDepartments of Justice, Defense, Homeland Security, Treasury, CentralIntelligence Agency, and the Federal Bureau of Investigation to submita report to Congress on use of private-sector databases, or losefunding for purchasing personal information from companies such asChoicePoint and Lexis-Nexis.

The report must give a detailed description of the contracts that theagencies have with private sector profilers. The report will alsocover how the agencies access personal information, how data mining isbeing employed, the type of data purchased, the purposes for which theinformation is used, whether there are security or audit mechanisms inplace, and data retention practices.

The bill prohibits using data mining without some suspicion ofcriminal wrongdoing. That provision was included to prohibit the useof so called "red teams" that would invent hypothetical scenarios forpossible terrorists attacks and then search databases to detect tracesof their fabricated plans.

In a separate development, Admiral John Poindexter, chief of theDefense Advanced Research Projects Agency's Information AwarenessOffice, will resign. Controversy surrounded Poindexter's appointmentto the office, where he spearheaded research projects that had highlyinvasive applications, such as Total Information Awareness (TIA) andHuman ID at a Distance. Poindexter was well known in the computersecurity community for his involvement in National Security DecisionDirective Number 145, a 1984 policy that would have given the NationalSecurity Agency control over security for all government computersystems containing "sensitive but unclassified" information. This wasfollowed by a second directive that extended military authority overall computer and communications security for the federal governmentand private industry.

The text of the Citizens' Protection in Federal Databases Act isavailable at:

Information about how private sector profilers use public recordsinformation is available at EPIC's Public Records Page:

FBI Documents Detailing Use of Private Sector Databases are availableat:

The text of NSDD 145 is available at:

Information about Total Information Awareness is available atEPIC's Total Information Awareness Page:

[3] Bill Introduced to Reverse PATRIOT Act Provisions

Senator Lisa Murkowski (R-AK) has introduced a bill meant to addressrisks to civil liberties posed by the USA PATRIOT Act. The Protectingthe Rights of Individuals Act (PRIA), cosponsored by Senator Ron Wyden(D-OR), is intended to curtail considerable law enforcement search andseizure powers now permitted under the USA PATRIOT Act.

If enacted, the PRIA would require law enforcement agencies to obtaincourt orders to conduct electronic surveillance, and would heightenjudicial oversight of law enforcement monitoring of certain telephoneand Internet communications. Law enforcement officials could delaynotification of an issued warrant or court order only when immediatenotification might jeopardize an investigation or threaten thephysical safety of an individual. Law enforcement agencies attemptingto place roving wiretaps on telephones would have to demostrate to ajudge that a crime has been, or will be, committed. The PRIA wouldalso limit the Federal Bureau of Investigations's ability to accesssuch personal information as an individual's medical, library, andInternet records without demonstrating probable cause that theindividual is an agent of a foreign power.

In addition, the PRIA would forbid data-mining without explicitauthorization from Congress, and would require the Office of theAttorney General to publish annual reports disclosing certain aspectsof its search activities under the USA PATRIOT Act. Further, the billwould restrict law enforcement requests to libraries to turn overinformation regarding Internet use by library patrons to theinvestigation standards provided in the Foreign IntelligenceSurveillance Act (FISA).

In related news, the American Civil Liberties Union (ACLU) recentlyfiled the first legal challenge to the USA PATRIOT Act. In MCA, etal. v. Ashcroft and Mueller, the ACLU alleges that the broad scope ofFBI search power authorized by the USA PATRIOT Act violates the First,
Fouth, and Fifth Amendments of the Constitution.

The text of the Protecting the Rights of Individuals Act is availableat:

Information about the USA PATRIOT Act is available at EPIC's USAPATRIOT Act Page:

Additional information about USA PATRIOT Act developments is availableat EPIC's PATRIOT II Page:

Information about the Foreign Intelligence Surveillance Act (FISA) isavailable at EPIC's FISA Page:

The ACLU's Complaint in MCA, et al. v. Ashcroft and Mueller isavailable at:

[4] GAO Privacy Act Report Indicates Need for Better Compliance

On July 30, the General Accounting Office (GAO) released a reportfinding that compliance with the Privacy Act by government agencies isinconsistent and, as a result, individuals cannot be assured thattheir privacy rights are being protected. The report, "Privacy Act:
OMB Leadership Needed to Improve Agency Compliance," was initiated atthe request of Sen. Joseph Lieberman (D-CT), Ranking Minority Memberof the Senate Committee on Governmental Affairs.

The Privacy Act requires that a governmental agency observe certainprocedures when it is collecting personal information that isretrieved by a personal identifier. These procedures call for theagency to collect only necessary information, provide public noticewhen creating or altering record-keeping systems, and safeguard theinformation.

The GAO, studying a cross section of 25 agencies and systems rangingfrom files of five persons to 290 million persons, found thatrespondents' compliance with the Privacy Act ranged from 70 percent to100 percent. The GAO estimates that for 10 percent of the systemskept, agencies allow individuals to access personal information overthe Internet. Privacy officers at the subject agencies explained theneed for more oversight and guidance by the Office of Management andBudget (OMB) in order to increase compliance. As a result, GAO'soverarching recommendation was for increased OMB oversight. The OMB,
charged with setting forth guidelines and regulations for agencyimplementation of the Privacy Act, disagreed with the report'sconclusion and recommendations, finding the statements "reckless andirresponsible" based on the compliance data.

While the GAO was careful to conclude that the lack of compliance doesnot mean that the government will not protect individuals' privacyrights, it did make clear that, under these circumstances, privacyprotection cannot be assured.

The GAO report, "Privacy Act: OMB Leadership Needed to Improve AgencyCompliance," is available at:

The text of the Privacy Act is available at:

[5] Researchers Find Flaws in Electronic Voting

A recent study conducted by computer science researchers at JohnsHopkins University has found that electronic voting systems contain"significant security flaws" that may subject election results tofraud by both voters and those involved in election administration.

The researchers conducted the study using source code found on theInternet that is believed to be the proprietary code of theAccuVote-TS touch-screen voting system produced by Diebold ElectionSystems.

The study found that the voting machines' use of "smartcards" rendersthe system vulnerable to tampering by voters as well as "insiders suchas poll workers, software developers and even janitors," all of whomcould cast multiple votes due to the voting system's failure toprovide a means to track such misconduct. The report was alsocritical of the system's failure to provide a paper "audit trail" thatcan be reviewed by voters for accuracy. The researchers conclude that"there appears to have little quality control in the [softwaredevelopment] process."

The researchers' report urges openness in the software developmentprocess to facilitate the creation of better quality electronic votingsoftware. Alternatively, the researchers recommend that electronicvoting systems include a voter-verifiable paper audit trail to ensureaccuracy in the voting process.

Diebold voting machines have already been used in elections inMaryland, Georgia, California, and Kansas, among other locations.
Maryland election officials recently ordered $55.6 million worth oftouch-screen voting equipment from Diebold in preparation for theimplementation of electronic voting throughout the state.

The Johns Hopkins researchers' report "Analysis of an ElectronicVoting System" is available at:

More information about electronic voting is available at:

To sign a petition urging voter-verifiable ballot trails, see:

[6] News in Brief

CA Fed. Court Rules that FCRA Preempts Local Privacy Law
In a serious setback to privacy rights, a federal district court inthe Northern District of California has ruled that the Fair CreditReporting Act preempts city ordinances that established certainheightened privacy protections. The ordinances, enacted in severalCalifornia cities and counties, required financial institutions toobtain opt-in consent before sharing personal information amongstaffiliated and non-affiliated entities. The ordinances were intendedto supplement the federal Gramm-Leach-Bliley Act (GLBA), which setsweak, opt-out standards for information sharing among non-affiliates,
and does not allow any choice in regards to affiliate sharing. Thecourt invalidated opt-in requirements for affiliate sharing, butupheld an opt-in standard for non-affiliate information sharing. Thecourt's decision is likely to be appealed, as Congress clearlyintended to allow states to regulate information sharing in passingthe GLBA.

The opinion in Bank of America v. Daly City, Nos. 02-4343 & 02-4943(N.D. Cal. July 29, 2003) is available at:

Homeless Tracking System Announced
The Department of Housing and Urban Development announced itsguidelines for "Homeless Management Information Systems" (HMIS). HMISis a standard system for tracking homeless persons and the servicesrendered to them. Entities that provide services would collect theirnames, Social Security Numbers, dates of birth, race, gender, healthstatus (including HIV, pregnancy, and domestic violence), veteranstatus, and income information.

Although the plan does not call for a national, centralized database,
the information collected could easily facilitate the creation of anational database in the future. Furthermore, law enforcement, SecretService, and National Security access to the database would be nearlyunlimited. The guidelines are open to public comment until September22, 2003.

HUD Homeless Management Information Systems webpage:

Colleges Seek to Quash P2P Subpoenas Under FERPA
Boston College and the Massachusetts Institute of Technology arerelying upon the Federal Educational Rights and Privacy Act (FERPA) toinvalidate subpoenas directed to the institutions that seek theidentity of students using peer-to-peer file sharing systems. TheRecording Industry Association of America issued the subpoenas in anattempt to bring suit against students operating popular file sharingsystems on the campuses. The subpoenas, issued under the DigitalMillennium Copyright Act (DMCA) present a serious risk to privacy asthey allow a copyright holder to determine the identity of an Internetuser without meaningful due process.

The EPIC Letter on P2P Monitoring in Higher Education is available at:

More information about education privacy is available at EPIC's FERPAPage:

[7] EPIC Bookstore: Secure Coding: Principles & Practices

Mark G. Graff and Kenneth R. van Wyk, Secure Coding: Principles &
Practices (O'Reilly 2003).

Attacks on computer systems and networks occur today at an alarmingrate. Worms, malevolent mail, and distributed denial of serviceattacks undermine systems around the globe
from banks to majore-commerce sites to critical infrastructure computers. Despite theirmany manifestations and targets, nearly all attacks have onefundamental cause: the code underlying these computers and networks isnot secure.

Finally, a book takes aim at the fundamental problem challenging thevery future of the Internet. Packed with expert advice based on theauthors' decades of experience, Secure Coding sheds light on theeconomic, psychological, and practical reasons why securityvulnerabilities are so ubiquitous today. Much more than a technicaltome, this concise and engaging book is a call to arms, a challenge toall of us to finally make a commitment to building secure code. Thefuture of technology may very well depend on our heeding the call.

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Chaos Communication Camp 2003: The International Hacker Open AirGathering. Chaos Computer Club. August 7-10, 2003. Paulshof,
Altlandsberg, Germany. For more information:

1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunkand Science Fiction. August 11-13, 2003. Prague, Czech Republic.
For more information:

NSF Cyber Trust Point Meeting. Johns Hopkins University InformationSecurity Institute. AUGUST 13-15, 2003. Baltimore, Maryland. Formore information:

Voting Machines: A Threat To Democracy? The Ethical Society.
September 7, 2003. Philadelphia, Pennsylvania. For more information:

Surveillance and Privacy 2003: Terrorists and Watchdogs. Baker &
McKenzie Cyberspace Law and Policy Centre and Univeristy of New SouthWales Law Faculty. September 8-9, 2003. Sydney, Australia. For moreinformation:

25th International Conference of Data Protection and PrivacyCommissioners. September 10-12, 2003. Sydney, Australia. For moreinformation:

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and theDepartment of Information Systems and Technology, University ofDurban-Westville. September 10-12, 2003. Durban, South Africa. Formore information:

Making Intelligence Accountable, September 19-20, 2003. Oslo, Norway.
The Geneva Centre for the Democratic Control of Armed Forces. Formore information:

Privacy2003. Technology Policy Group. September 30-October 2, 2003.
Columbus, OH. For more information:

Getting the Technology You Deserve: Community Participation inRegional Cable Franchise Policy. Computer Professionals for SocialResponsibility. October 25, 2003. Seattle, Washington. For moreinformation:

ICANN Meeting. Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003. Carthage, Tunisia. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Problems or questions? e-mail < >

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.16


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback