WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 17

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.17 [2003] EPICAlert 17


Volume 10.17 August 21, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Poindexter Resigns, But Legacy of TIA Remains
[2] Tampa Police Drop Failing Face Recognition System
[3] CA Passes Strongest Financial Privacy Standard in the Nation
[4] EPIC Releases Fact Sheet on Homeless Tracking Systems
[5] Maryland Governor Orders Audit of Electronic Voting Machines
[6] News in Brief
[7] EPIC Bookstore: Protecting Your Money, Privacy and Identity
[8] Upcoming Conferences and Events

[1] Poindexter Resigns, But Legacy of TIA Remains

Retired Admiral John M. Poindexter has resigned from his position ashead of the Defense Advanced Research Projects Agency's InformationAwareness Office. In a strongly-worded and unapologetic resignationletter, Poindexter defended his office's controversial projects,
including its plans for an online futures market for predictingterrorist attacks and its Total Information Awareness (TIA) system.
He dismissed mounting criticism from both government officials andcitizens as the result of misunderstanding, misrepresentation bymedia, and a "highly-charged political environment."

Poindexter insisted that the Total Information Awareness project -- asurveillance system employing a centralized global database ofindividuals' personal data -- was not a threat to privacy. "We nevercontemplated spying and saving data on Americans," wrote Poindexter.
"We only wanted to find specific patterns of activities that wouldlead us to foreign terrorists."

While Poindexter's resignation, and severely curtailed funding for theproject, leave the future of TIA in doubt, a new state-level system inFlorida may serve much the same function. Police agencies in thestate are currently developing a centralized database surveillancesystem similar in structure to TIA, with funding assistance from boththe Justice Department and the Department of Homeland Security. Thesystem, dubbed Matrix, would enable investigators to find patterns andlinks among people and events using a combination of police recordsand commercially available personal data. At least 135 policeagencies have signed up for the service, which is poised to expand toother states across the country.

The text of Poindexter's resignation letter is available at:

More information about the TIA system is available at EPIC's TotalInformation Awareness Page:

Read more about Florida's new centralized Matrix surveillance systemat "U.S. Backs Florida's New Counterterrorism Database," WashingtonPost, August 6, 2003:

[2] Tampa Police Drop Failing Face Recognition System

The Tampa Police Department has abandoned the face recognitionsoftware used in conjunction with its video surveillance cameras,
citing the system's failure to recognize anyone wanted by theauthorities over a two-year period. Tampa authorities first used thetechnology during the 2001 Super Bowl -- without any success -- whenthey systematically scanned every attendee's face to compare it with alist of suspects' mug shots. The system used in Tampa never led toany arrests or positive identifications, though occasionally wronglyidentified innocent people as wanted felons.

Face recognition technology is one of the tools used in biometrics,
the science of identifying people using parts of their bodies.
Coupled with video surveillance, the technology captures "signatures"
of faces on high-resolution cameras and compares them with mug shotsin police databases, which generally include people with outstandingfelony warrants, and those on the FBI's "most wanted" list andterrorist watchlists.

Face recognition technology has never been proved to be reliable.
Studies sponsored by the U.S. Department of Defense have shown thesystem is accurate only fifty-four percent of the time and can besignificantly compromised by changes in lighting, weight, hair,
sunglasses, subject cooperation, and other factors. Likewise, testson the face recognition systems in operation at Palm Beach Airport inFlorida have shown the technology to be ineffective and error-ridden,
leading authorities to forego use of face-recognition equipment. InVirginia Beach, Virginia, police use of the technology has notresulted in the apprehension of a single wanted person in over a year.

In Washington, DC, the Metropolitan Police Department (MPD) two yearsago began installing a wide network of cameras without priorauthorization from the City Council. Last year, under pressure fromCongress, the Council and civil liberties organizations, the MPDagreed to comply with a set of video surveillance guidelines. Theguidelines do not, however, regulate the use of facial recognitiontools. Although the technology apparently has never been used inconjunction with the DC cameras, nothing would prevent the police fromdoing so; the MPD has always left open that possibility and hasacknowledged that its cameras could easily operate with facerecognition tools. A bill pending in the DC Council would flatlyprohibit any use of face recognition technology without specificlegislative authorization. The United States Park Police, a federalagency with jurisdiction over DC's federal lands, recently released a"Closed Circuit Television Policy" that leaves open the possibility ofusing the technology with its cameras located on the Mall and otherfederal areas of the nation's capital.

More information about video surveillance is available at:

More information about face recognition is available at:

Information about EPIC's Observing Surveillance project is availableat:

[3] CA Passes Strongest Financial Privacy Standard in the Nation

California will soon have the strongest financial privacy protectionsin the country as the result of the passage of SB 1, the CaliforniaFinancial Information Privacy Act. Introduced by State Senator JackieSpeier (D-San Mateo), passage of the bill followed a criticalcompromise among the bill's sponsors, privacy advocates, and thefinancial services industry. Governor Gray Davis is expected to signthe bill into law within the next ten days, which will end a four-yeardebate in the State on financial privacy and the progress of astronger initiative movement that would have required opt-in for alldisclosures of personal information.

Under the federal Gramm-Leach-Bliley Act, financial services companiesmust give notice of their privacy policies and allow individuals toopt out of information sharing among non-affiliated companies.
Accordingly, financial services companies can transfer informationamongst corporate affiliates over a customer's objection, and canfashion "joint marketing" agreements to circumvent the wishes ofindividuals who opt out.

Under the new law, Californians will be able to opt out of someaffiliate sharing, and opt-in will be required before financialservices companies sell information to non-affiliates. Certainaffiliates -- those regulated by the same agency and that operate inthe same line of business -- will be able to transfer data even if acustomer opts out. The bill requires financial institutions toprovide consumers with a self-addressed envelope for opting out.
Institutions will not be able to deny services to those who choose torestrict the exploitation of personal information.

The ultimate fate of these protections is unclear. A recent decisionin Bank of America v. Daly City (see EPIC Alert 8.16) struck downregulations of affiliate sharing enacted by several California cities.
It is likely that the financial services industry, despite agreeingnot to oppose SB 1, will file suit to have the affiliate sharingprovisions invalidated. The impending suit should not affectprovisions of the law on notice and non-affiliate sharing.

However, Congress could take action this fall, and apply theCalifornia standard to the entire country when considering amendmentsto the federal Fair Credit Reporting Act.

The text of SB 1 is available at:

More information about the Gramm-Leach-Bliley Act is available at:

More information about the Fair Credit Reporting Act is available at:

Additional information about federal financial privacy law isavailable at:

[4] EPIC Releases Fact Sheet on Homeless Tracking Systems

EPIC has published a fact sheet on Homeless Management InformationSystems (HMIS) (see EPIC Alert 10.16). HMIS are database systems thatthe Department of Housing and Urban Development (HUD) is requiringshelters to maintain. Under the proposed guidelines, federally fundedshelters and other care organizations will be required to collectunique identifiers, as well as physical and mental health informationon each benefits recipient. There are specific provisions thatrequire the collection of HIV and pregnancy status.

Homeless tracking presents a number of privacy and civil libertiesconcerns. First, HMIS lays the infrastructure for a nationwide systemof homeless tracking. The proposed guidelines mandate consistency indata collection, and the ability to export all data in the system to acommon format. This raises substantial risks for those living withHIV, physical or mental health disabilities, or others who haveconditions that potentially subject them to stigma or discrimination.

Second, government access to the database is nearly unlimited. Underthe proposed guidelines, system users can disclose information fromthe database to Secret Service or agents of a national security agencywithout any showing of an emergency, a court order, or even a risk ofattack. Law enforcement access is more limited, but nevertheless, HUDis not requiring police to obtain warrants or court orders beforereleasing HMIS data.

Third, HMIS places victims of domestic violence at heightened risk ofharm. Many victims flee violent partners by staying in shelters, andHMIS may provide opportunities for malicious actors to locate theirvictims.

The EPIC fact sheet argues that HUD should seek less invasivealternatives to evaluate the effectiveness of benefits and support forthe poor. For instance, HUD could perform a census on a specific dayto obtain an unduplicated count of the homeless staying in particularshelters. Such a census would not require the collection of personalidentifiers or tracking over time, and would be less expensive.

The public can comment on HMIS until September 22, 2003 by mail toHUD. No provision for electronic or fax submissions has beenarranged. Comments should be addressed to:

Michael RoanhouseRe: Doc. No. FR 4848-N-01 / HMIS DataOffice of Special Needs Assistance ProgramsOffice of the Assistant Secretary for Community Planning andDevelopmentRoom 7262 HUD451 7th St. SWWashington, DC 20410
EPIC's Homeless Tracking Fact Sheet is available at:

HUD's proposed HMIS Guidelines are available at:

More information about privacy and the homeless is available at:

[5] Maryland Governor Orders Audit of Electronic Voting Machines

Less than two weeks after Johns Hopkins University computer scientistsreleased a report criticizing security flaws in Diebold votingmachines (see EPIC Alert 10.16), Maryland Governor Bob Ehrlich hasordered an independent review of the 11,000 touch-screen AccuVote-TSvoting machines that the state of Maryland agreed to purchase fromDiebold for $55.6 million. Maryland officials had intended theelectronic voting system to be used in the presidential primaryelection next spring.

Maryland retained Science Application International Corporation, aninternational computer security firm, to evaluate the Diebold machinesand their proprietary code. If the firm is not satisfied with themachines' security, the state may request that Diebold makeimprovements or cancel the purchase altogether.

Ehrlich's order supports the position of a Maryland state panel thatasked the state not to purchase new voting technology without a betterunderstanding of its accuracy and security risks, a request whichMaryland denied. State elections board officials expressed littleinterest in delaying the purchase prior to Ehrlich's order, claimingthat state and federal law require Maryland to improve its votingsystems as soon as possible.

The Johns Hopkins researchers' study concluded last month thatAccuVote-TS voting machines, the same machines Maryland agreed topurchase from Diebold, could be easily manipulated by hackers, votinginsiders and others to produce skewed voting results.

The press release from Governor Ehrlich's office announcing the revieworder is available at:

The Johns Hopkins researchers' report "Analysis of an ElectronicVoting System" is available at:

More information about electronic voting is available at:

[6] News in Brief

Mississippi District Installs Webcams in Classrooms
A school district in Biloxi, Mississippi became the first in thenation to install a system of Internet-wired video cameras, nearly 500total, to monitor its classrooms and hallways 24 hours a day. Thedistrict, which enrolls 6,300 students, cited security concerns as thebasis for its camera use. Only designated school officials andsecurity personnel are permitted to view the images, which can bedisplayed on computers linked to the Internet. Other school districtsin the U.S. and Britain are beginning to experiment with classroomwebcams, as well.

Additional information about student privacy is available at:

Presidential Commission Proposes Monitoring Mail
The President's Commission on the Postal Service has recommended thatthe postal agency collaborate with the Department of Homeland Securityto study the development of sender-identification requirements for allmail. A proposed system, called "Intelligent Mail," would usetracking codes to verify who sends and receives mail. The commissioncited the system as a way to improve the security of the postalnetwork, as well as a means of enabling businesses and consumers tracktheir mail. Critics, however, warn that eliminating the ability tosend anonymous mail could infringe on individual privacy rights.

The final report of the President's Commission on the Postal Serviceis available at:

EPIC Introduces Five New Web Pages
The Electronic Privacy Information Center has added five new web pagesto its site, focusing on RFID tags; credit scoring; polygraph testing;
the Privacy Protection Act of 1980; the Right to Financial PrivacyAct; and privileges. In addition, provides a daily updateof new developments on privacy-related issues.

EPIC's new RFID Page is available at:

EPIC's new Credit Scoring Page is available at:

EPIC's new Polygraph Testing Page is available at:

EPIC's new Privacy Protection Act of 1980 Page is available at:

EPIC's new Right to Financial Privacy Act Page is available at:

EPIC's new Privileges Page is available at:

For up-to-date news on new developments on privacy-related issues,

[7] EPIC Bookstore: Protecting Your Money, Privacy and Identity

Jim Gaston & Paul Wing: Protecting Your Money, Privacy and Identityfrom Theft, Loss and Misuse (The Canadian Institute of CharteredAccountants 2003).

There is no lack of writing and warnings out there about the need toprotect yourself and your assets these days, but it is hard to find abook you would give your aging mother to read to help her get up thecourage to bank online. This new publication, although focused on theCanadian environment, is a very useful contribution to the literature.

We still long for the republication and updating of the nowout-of-print classic "The Privacy Rights Handbook: How to Take Controlof Your Personal Information," by Beth Givens of the Privacy RightsClearinghouse, but there is no sign of that happening soon. In themeantime, Gaston and Wing have done a great job of organizing thedaunting task of protecting your own personal information. They arebanking and Internet security experts, and have included a number ofuseful tips about everyday e-commerce tasks. This is a calm and soberwalk through the mysteries of protecting your personal information,
with a family perspective.

There is a certain amount of repetition in the book, because it isorganized into chapters which naturally have overlap (sensitiveinformation at home and away, communications and transactions, debitcards and credit cards, seven chapters on all aspects of protectingyour computer, your transactions, your email, etc.). Activities arerated in terms of risk, and there are summaries of "Practical Steps toProtect Yourself" in each chapter under each theme, such as dealingwith telephone inquiries, sending and receiving faxes, and usingwireless connections. More computer literate readers will doubtlessargue with some of the advice, or complain that it is not detailedenough. This book is aimed at the general reader, though, and one ofthe biggest problems we have to deal with in teaching good privacy andsecurity practices is the fact that the average user is very easilyoverwhelmed by technical information.

There are useful workbooks at the back of the book, and a shortglossary. The book could be more useful for the reader who wants tolearn more if it included a bibliography for further reading. Thereis no discussion of the problems of particular platforms, hardware andsoftware -- obviously a deliberate choice -- but there is no questionthese decisions make a difference to risk. Finally, once everyonefollows the advice and gets virus scanners and firewalls, managingthem could be dealt with in more detail.

Stephanie Perrin

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Voting Machines: A Threat To Democracy? The Ethical Society.
September 7, 2003. Philadelphia, Pennsylvania. For more information:

Surveillance and Privacy 2003: Terrorists and Watchdogs. Baker &
McKenzie Cyberspace Law and Policy Centre and University of New SouthWales Law Faculty. September 8-9, 2003. Sydney, Australia. For moreinformation:

25th International Conference of Data Protection and PrivacyCommissioners. September 10-12, 2003. Sydney, Australia. For moreinformation:

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and theDepartment of Information Systems and Technology, University ofDurban-Westville. September 10-12, 2003. Durban, South Africa. Formore information:

Making Intelligence Accountable, September 19-20, 2003. Oslo,
Norway. The Geneva Centre for the Democratic Control of Armed Forces.
For more information:

The State of Accountable Government in a Surveillance Society. Officeof the Information and Privacy Commissioner for British Columbia.
September 25-26, 2003. Victoria, British Columbia. For moreinformation:

Privacy2003. Technology Policy Group. September 30-October 2, 2003.
Columbus, OH. For more information:

UbiComp 2003 Privacy Workshop. October 12, 2003. Seattle, WA. Formore information:

Getting the Technology You Deserve: Community Participation inRegional Cable Franchise Policy. Computer Professionals for SocialResponsibility. October 25, 2003. Seattle, Washington. For moreinformation:

ICANN Meeting. Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003. Carthage, Tunisia. For more information:

RFID Privacy Workshop. Massachusetts Institute of Technology.
November 15, 2003. Boston, Massachusetts. For more information:

Localizing the Internet: Ethical Issues in Intercultural Perspective.
International Center for Information Ethics. October 4-6, 2004.
Karlsruhe, Germany. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Problems or questions? e-mail < >

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.17


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback