WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 21

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.21 [2003] EPICAlert 21


Volume 10.21 October 17, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Sues DOJ for PATRIOT Act Lobbying Info
[2] Canada's Biometric ID Plan Under Fire
[3] EPIC, PIRG Submit Comments on Bank Security Notices
[4] Senate Passes Genetic Privacy Measure
[5] European Parliament Opposes Air Travel Data Transfer
[6] News in Brief
[7] EPIC Bookstore: Corporateering
[8] Upcoming Conferences and Events

[1] EPIC Sues DOJ for PATRIOT Act Lobbying Info

EPIC filed suit in federal district court this week seeking therelease of Department of Justice (DOJ) records regarding the effortsof federal prosecutors to oppose legislative revisions to thecontroversial USA PATRIOT Act. The lawsuit challenges DOJ's refusalto expedite the processing of EPIC's Freedom of Information Act (FOIA)
request for the material.

On July 22, the House of Representatives voted 309-118 to prohibit theuse of federal funds for the execution of delayed notice searchwarrants. "Sneak and peek" warrants, which were authorized by the USAPATRIOT Act, allow law enforcement officers to conduct a search of anindividual's property and delay notifying that individual until afterthe search occurred. On August 14, DOJ issued a memorandum urging allU.S. Attorneys "to call personally or meet with . . . congressionalrepresentatives" to talk over "the potentially deleterious effects" ofdenying funding for delayed notification warrants. The memo includeda list of Representatives and identified those who had voted toprohibit such warrants. The memorandum received substantial mediacoverage and raised serious questions regarding the legality of theprosecutors' lobbying efforts.

EPIC submitted a FOIA request to DOJ for information about thememorandum, and requested expedited processing, as provided under theFOIA and DOJ regulations. The department refused to expedite on thegrounds that "the subject of [EPIC's] request is not one ofexceptional media interest, nor does it raise any questions about thegovernment's integrity which might affect public confidence."
Furthermore, DOJ determined that EPIC's request "does not support afinding that that there is an urgency to inform the public" aboutDOJ's lobbying campaign.

EPIC filed suit October 14, seeking a preliminary injunction requiringDOJ to process EPIC's request and release the documents as soon aspossible. In support of its entitlement to expedited processing, EPICnoted widespread media interest in the DOJ memorandum and citededitorials and news articles questioning the propriety of theprosecutors' lobbying activities.

EPIC's memorandum in support of its motion for a preliminaryinjunction is available at:
For background information, see EPIC's USA PATRIOT Act page:

[2] Canada's Biometric ID Plan Under Fire

The proposal by the Immigration Minister to implement a system ofbiometric identification in Canada has met with a blast of publicopposition since its inception last year. In the face of concernsover terrorism, and in the interest of furthering commerce and travel,
the program aims to encode biometric identifiers -- such as irisscans, fingerprints and hand geometry -- onto ID cards in order toguarantee that each Canadian is who he or she claims to be. Abiometric identifier is any physical characteristic of a person thatcan be recorded and matched against a person.

An interim report issued by the House of Commons quotes the Ministeras stating: "The card provides certainty because of the securityaround its issuance and the technology used in the card." However,
the report referred to polls and the testimony of several experts toshow that support for the biometric IDs is not strong. The reportalso cautioned that biometric IDs "could have wide implications forprivacy, security and fiscal accountability," and proposed that thegovernment receive more feedback from the public-at-large.

At the same time, a report by Citizenship and Immigration Canada, adepartment of the Canadian government, found that most people predictthat biometric identifying IDs will be found in all Canadians' walletswithin the next ten years.

The report was released at a two-day conference held to encouragediscussion of the use of biometric identifiers and a national ID cardand lay out how the policy would be implemented. Stephanie Perrin,
President of Digital Discretion Company, Inc. and senior fellow atEPIC, addressed privacy concerns at the conference. She urged cautionand pointed to several inherent problems with the policy, includingthe rapid implementation, the security of the information, personsunable to produce a certain biometric identifier, and other abuses anddiscriminations that are likely to result. Another concern is cost.
Governmental forecasts of the financial cost of the project range from3 to 7 billion dollars ($2.3 to $5.3 in USD). However, foreignwatchdog groups that have studied similar plans in other countriesinsist these projections are likely too low.

Not all government officials are on board with the plan. Canada'sInterim Privacy Commissioner recently issued a statement, warning ofthe complexity, risks and costs of the program. He stated thatidentification cards "allow us to be identified even in situationswhere we have every right to remain anonymous" and warned that"without technical limitations and strict controls on their use, theyare a power tool to link together our various activities and produceprofiles of our lives."

There are indications that public opposition may be turning the tides.
Earlier this month, the Minister was reported to back-peddle on hisone-mechanism approach to verifying citizen identity. In a statement,
the Minister proposed a more incremental approach. The secondapproach would implement biometric technology into existinggovernment-issued documents, instead of just one card.

Visit the Citizenship and Immigration Canada conference web site at:

For additional information on ID cards, see EPIC's National ID page

For addtional information on biometrics, see EPIC's Biometrics page

[3] EPIC, PIRG Submit Comments on Bank Security Notices

EPIC, in conjunction with the U.S. Public Interest Research Group(PIRG), has submitted comments to the Department of the Treasuryregarding proposed guidance on security notices to bank customers, inaccordance with the Gramm-Leach-Bliley Act. The groups urged theagency to strengthen its guidelines, which specify when a financialinstitution must give notice to a customer when personal informationhas been accessed without authorization.

The groups called on the agency to require financial institutions toinstitute monitoring systems to detect unauthorized access to personalinformation. Being aware of breaches in security is critical tomaintaining the integrity of the customer information systems andresponding appropriately to violations. The comments also noted thatthe proposed guidance leaves room for broad interpretation as to whenfinancial institutions should provide their primary Federal regulatorwith notice of a security breach. Hence, the comments urged that aninstitution should promptly report any incidents of unauthorizedaccess generally, rather than only when customer information isactually used. The groups also noted that specific guidance is neededas to the method and content of notification, and that the agencyshould include a certification requirement as part of its notificationstandard.

In regards to consumer communication, the comments praised the agencyfor not allowing any circumstances that may delay notification of theaffected customers. However, the groups made several suggestions forimproving the means of notifying consumers.

The EPIC and U.S. PIRG comments are available at:

The Treasury's proposed guidelines are available at:

For background information, see EPIC's Gramm-Leach-Bliley Act page at:

[4] Senate Passes Genetic Privacy Measure

The Senate, in a bipartisan effort, unanimously passed the GeneticInformation Nondiscrimination Act of 2003 (S.1053) earlier this week.
The legislation, sponsored by Sen. Olympia Snowe (R-ME), prohibitsdiscrimination in health insurance by employers' group health plansand by health insurance issuers on the basis of genetic information.
Group health plans and health insurers are forbidden to limitenrollment or vary premiums on the basis of genetic information or onthe basis of an individual's request for genetic tests or servicessuch as genetic counseling. They are also prohibited from requestingor requiring genetic tests.

Genetic information is broadly defined to include an individual'sgenetic tests, genetic tests of an individual's family, or occurrenceof diseases or disorders in the family history. Employers areprohibited from discriminating in hiring, promotions or in any otherway on the basis of genetic information or on the basis of a requestfor genetic services. Employers are prohibited from requiring genetictests or from purchasing genetic information. Employers are permittedto engage in genetic monitoring of the biological effects of toxicsubstances in the workplace when such monitoring is required by stateor federal law, but may do so only with prior written notice andauthorization of employees. Employment agencies and labororganizations are also prohibited from discriminating on the basis ofgenetic information.

The legislation will now go to the House of Representatives, which islikely to act on it next year. Senate sponsors, however, are urgingspeedier action, and hope that Senate and White House support willencourage the House to take up the issue this year, rather than next.

Read the Genetic Information Nondiscrimination Act of 2003 at:

Read Sen. Snowe's statement on the legislation at:

For background information, see EPIC's Genetic Privacy page at:

[5] European Parliament Opposes Air Travel Data Transfer

On October 9, the European Parliament overwhelmingly passed aresolution concerning airlines' transmission of personal data to theUnited States. In doing so, the Parliament made clear the position ofthe European Union on negotiations with the U.S. The resolution notonly details various concessions the European Commission must requireof the United States, but requires that the Commission act within twomonths, or else be brought to the Court of Justice by the EuropeanParliament for failure to do so.

The resolution reveals the increasing urgency of an agreement on theissue, stating that it is imperative that passengers, airlines andreservation systems receive clear indications as soon as possible onwhich measures are to be taken in response to the demands made by theU.S. authorities. The details of the resolution were partially shapedby the recommendations made by the International Conference of DataProtection and Privacy Commissioners held in Sydney in September. Thecommissioners recommended that international transfers of data shouldbe made within the framework of international agreements defining theconditions necessary for ensuring data protection, the clear targetsthat justify the collection of data, a specific and not excessivenumber of items of data, strict limits on the storage period, theprovision of adequate information to the persons concerned, andmechanisms to correct possible errors.

The Parliament urged the EC to determine what data may legitimately betransferred by airlines and/or computerized information systems tothird parties. In doing so, the EC is asked to consider ways toprevent discrimination against non-U.S. passengers and retention ofdata beyond the length of a passenger's stay on U.S. territory. TheEC should require that passengers be fully and accurately informedprior to purchase and their consent be mandatory for data transfer tothe U.S. It should also seek to increase passenger access to a "swiftand efficient appeals procedure should any problem arise."

The requirements of the European Parliament concerning the transfer ofpersonal data by airlines have not changed substantially sinceprevious resolutions. What has changed is the impatience of theParliament with the prolonged process, including the time allotted toreach an international agreement, and their quest for alternative waysto heighten airline security. The EC has been given a two month timeframe as well as a warning of repercussions should it not comply. Theresolution now calls on the EC within this time frame to deny airlinesand computerized information systems any access and/or transfer, whichis not in accordance with the principles.

The text of the October 9 European Parliament resolution isavailable at:

For background information, see EPIC's passenger profiling page at:
The September 2003 resolution passed by the Data Protection & PrivacyCommissioners is available at:

[6] News in Brief

The Federal Trade Commission's Do-Not-Call registry is back in effect,
thanks to a decision by the U.S. Court of Appeals for the 10thCircuit. The court issued a stay of a Colorado District Court'sinjunction barring enforcement of the Do-Not-Call registry. The lowercourt had found the registry to be a violation of free speech, butthat decision was appealed by the FTC, with oral arguments set to beheard on November 10. The appellate court ruled that the FTC shouldbe able to implement the Do-Not-Call registry in the meantime, findingthat the FTC demonstrated a substantial likelihood of success on themerits in appeals. The FTC has re-opened registration to theDo-Not-Call list and is now taking complaints from consumers regardingtelemarketing violations.

The 10th Circuit's decision is available at:

For background information, see EPIC's Do-Not-Call page at:

The Supreme Court announced it will hear arguments on the Child OnlineProtection Act (COPA), a law passed by Congress in 1998 with theintent of limiting children's access to Internet pornography. COPAwas immediately challenged by EPIC, the ACLU and other groups on freespeech grounds and has been stuck in legal limbo ever since. The U.S.
Court of Appeals for the 3rd Circuit has twice struck down the law,
and the Bush administration has appealed both times. Oral argumentsin the case -- Ashcroft v. ACLU, No. 03-218 -- will take place inearly 2004 and a decision is expected by July.

For background information, see EPIC's Child Online Protection Act page

A new report by Jupiter Research found that personalizing websitesfor marketing purposes was costly and ineffective. The report,
entitled "Beyond the Personalization Myth," stated that companieswould be better served by improving site basics, such as navigation,
rather than tailoring pages according to information gathered aboutindividual visitors. The study also found that operating apersonalized Web site cost more than four times more than operating a"comparable dynamic site." Jupiter reported that users were notoverly fond of personalized sites, due greatly to privacy concerns.
In fact, more than 25 percent of consumers surveyed by Jupiter saidthey avoided Web site customization because of concerns that marketerswould misuse the information.

Information about the report is available at:

ICANN will hold a WHOIS Workshop on October 29, 2003 in Carthage,
Tunisia. At this workshop, privacy concerns of Internet domainname registrants will be discussed. The Non-Commercial UsersConstituency is proposing several policy changes to WHOIS that wouldminimize the amount and type of personal data that an individualmust disclose and protect such sensitive personal data fromunrestricted public access. The Public Interest Registry, whichmanages the .ORG domain, has also made recommendations to improveprivacy for WHOIS data.

The ICANN Carthage WHOIS Workshop Agenda is available at:

For background information, see EPIC's WHOIS Privacy page:

On October 8, the High Tech Child Safety Roundtable met at theGeorge Washington University to discuss the use of wireless networkingto track the location of children for their safety. Specifically, thepanel focused on embedding RFID tags in children's clothing, shoes,
pins, ID cards, and other items to monitor the location of a child.
However, the systems discussed would track children only while withinrange of a school or other location that had deployed the technology;
such system would be similar in effect to video surveillance or aparent watching their child. The Roundtable further addressedtechnical implementation issues and data access problems arising fromsuch a system.

See the High Tech Child Safety Roundtable site at:

For background information, see EPIC's RFID page at:

The Transatlantic Consumer Dialogue, which represents EU and U.S.
consumers, has launched an online survey to assess consumers attitudeson spam email. The results of the survey will be announced to seniorofficials from OECD governments and representatives of theinternational press in February 2004.

The survey is available at:

[7] EPIC Bookstore: Corporateering

Jamie Court, Corporateering: How Corporate Power Steals Your PersonalFreedom and What You Can Do About It_, Tarcher/Putnam (2003).

Ralph Nader claimed that when he wants to listen to classical music heno longer needs a radio; instead he calls a major airline and waits onhold for a representative. Jamie Court in "Corporateering" takes noteof dozens similar annoyances and weaves them into a broader argumentthat corporations increasingly "have strained and drained people'smost vital resources, including their money, energy, time, health,
safety, rights, and their own power." Many of Court's examples ofirresponsible behavior involve privacy, including the traffic inpersonal information and invasive marketing to children. Court arguesthat corporations have exceeded their roles as marketplace actors to aposition where they dominate culture and trample on individual rights.

Court, the Director of the Foundation for Taxpayer and ConsumerRights, an assertive California-based non-profit, begins this workwith a definition of corporateer: "v. to prioritize commerce overculture; n. one who prioritizes commerce over culture." The bookdetails how corporations have abused power to corner markets, todeceive individuals, and to infect the public sphere with mindlesscommercialism by naming sports venues and other public places forcorporations which used to be named for great men.

One of the most remarkable portions of the book is a summary of alegal memorandum written by Lewis Powell before his appointment to theSupreme Court. It details how business can capture the public sphere,
and assert power over the individual. The Powell memo advocated amassive pro-business public relations effort and much of it hascrystallized. For instance, one of Powell's suggestions was to createa community of scholars to promote business interests. Today, groupslike the American Enterprise Institute, whose "academics" have thesame level of scholarly independence as a professor of theology at BobJones University, dominate the scene of Washington policymaking,
issuing endless reports trumpeting their theology of Mammon: publicbad, private good. Amen.

The book concludes with a series of recommendations for individualswho wish to counter irresponsible business power. Thorough appendixessuggest laws, institutions, and a new lexicon that could be employedto empower the individual.

Court's work would benefit from a more prominent disclaimer that notall corporate activity is bad. A lack of recognition of this factweakens his argument (his non-profit technically is a corporation, forinstance). Nevertheless, Court's book is well written and insightfuland one can hear the influence of Frederick Douglass in his call toaction: "Small evils quickly become large ones when nourished byinstitutions as powerful as modern corporations and not responded toby individuals."

-Chris Jay Hoofnagle

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2003: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty-five countries around the world. The surveyexamines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Grassroots America Defends the Bill of Rights - National Conference.
Grassroots America (co-sponsored by EPIC). October 18-19, 2003.
Silver Spring, MD. For more information:

Security Laws and Privacy Seminar. Riley Information Service Inc.
October 20, 2003. Ottawa, Canada. For more information:

8th Symposium on Privacy and Security - Identity and Anonymity in anIncreasingly Interconnected World. Swiss Federal Institute ofTechnology. October 21-22, 2003. Zurich, Switzerland. For moreinformation:

Getting the Technology You Deserve: Community Participation inRegional Cable Franchise Policy. Computer Professionals for SocialResponsibility. October 25, 2003. Seattle, Washington. For moreinformation:

Reporting Cyberterrorism. The Newseum and Carnegie Mellon University.
October 27, 2003. Washington, DC. For more information: (703)

ICANN Meeting. Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003. Carthage, Tunisia. For more information:

IAPP Privacy and Data Security Academy and Expo. October 29-31, 2003.
Chicago, IL. For more information:

Business for Social Responsibility Annual Conference - Building andSustaining Solutions. November 11-14. Los Angeles, CA. For moreinformation:

RFID Privacy Workshop. Massachusetts Institute of Technology.
November 15, 2003. Boston, Massachusetts. For more information:

American Society of Access Professionals Workshop. November 18-19,
2003. St. Louis, Missouri. For more information:

Media Freedoms and the Arab World. The Arab Archives Institute.
December 6-8, 2003. Amman, Jordan. For more information: or see

WHOLES - A Multiple View of Individual Privacy in a Networked World.
Swedish Institute of Computer Science. January 30-31, 2004. Stockholm,
Sweden. For more information:

Securing Privacy in the Internet Age. Stanford Law School. March13-14, 2004. Palo Alto, CA. For more information:

International Conference on Data Privacy and Security in a GlobalSociety. Wessex Institute. May 11-14, 2004. Skiathos, Greece. Formore information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Problems or questions? e-mail <

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.21


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback