WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 22

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.22 [2003] EPICAlert 22


Volume 10.22 October 30, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Supreme Court to Review Nevada ID Law
[2] Senate Approves Weak Spam Legislation
[3] Maryland Legislators Question Voting Machine Report
[4] Worldwide NGO Coalition Urges ICANN To Safeguard Privacy
[5] EU Set to Implement Privacy Directive
[6] News in Brief
[7] EPIC Bookstore: How to Get Anything on Anybody
[8] Upcoming Conferences and Events

[1] Supreme Court to Review Nevada ID Law

The United States Supreme Court has agreed to consider a case that maydetermine whether an individual who has not been arrested may refuseto identify himself to a law enforcement officer. The case, Hiibel v.
Sixth Judicial District Court of Nevada, raises numerous privacyissues such as Fourth Amendment protections against unreasonablegovernment search and seizure, the right to anonymity, and lawenforcement accumulation and use of personal information. EPIC andothers plan to file "friend of the court" briefs in December.
Larry Hiibel challenged the constitutionality of a Nevada law thatallows a police officer to detain a person to determine his identitywhen there are circumstances reasonably indicating that person hascommitted, is committing, or is about to commit a crime. Hiibel wasarrested pursuant to this law when he refused eleven times to identifyhimself to an officer investigating a report of domestic violence,
explaining that he was willing to cooperate with the officer but haddone nothing wrong. Hiibel was subsequently charged with andconvicted of resisting a police officer.

On appeal, the Supreme Court of Nevada determined that the law doesnot violate Fourth Amendment protections against unreasonable searchand seizure because it "strikes a balance between constitutionalprotections of privacy and the need to protect police officers and thepublic." The court found that permitting officers to requireidentification allows them to more safely conduct investigations, andis not as invasive as a pat-down, which the law allows.
In a strongly worded dissenting opinion, three of the Nevada SupremeCourt's seven Justices criticized the majority for "reflexivelyreasoning that the public interest in police safety outweighs Hiibel'sinterest in refusing to identify himself," noting that no evidenceexists that an officer is safer for knowing a suspect's identity.
"What the majority fails to recognize," the dissenting opinioncontinued, "is that it is the observable conduct, not the identity, ofa person, upon which an officer must legally rely when investigatingcrimes and enforcing the law." The dissenting Justices also notedthat anonymity is included in the right to privacy, which in turn isprotected during pre-arrest frisks performed by officers.

The Supreme Court will hear oral arguments in the case early nextyear.

Nevada Revised Statute 171.123(3) is available at:

The Nevada Supreme Court opinion is available at:

For background information, see EPIC's Hiibel v. Nevada Page at:

[2] Senate Approves Weak Spam Legislation

On October 22 the Senate unanimously passed anti-spam legislation thatwould set a federal standard, preempting the laws of more than 35states that have attempted to reduce the number of unsolicitedcommercial e-mails. The legislation, S. 877, known as the Can-SpamAct of 2003, was enacted to attack the 13 billion e-mails that cloge-mail in-boxes across the globe each day. Yet, the preemptionprovision would do away with some stronger state privacy regulations,
such as the regulations that just were signed into law by Gov. GrayDavis in California.

The Act, sponsored by Sens. Conrad Burns (R-MT) and Ron Wyden (D-OR),
originally created only civil penalties for fraudulent, unsolicitedcommercial e-mails. However, Sens. Patrick Leahy (D-VT) and OrrinHatch (R-UT) added amendments creating criminal penalties for the actsof disguising a commercial sender's identity or a computer's location,
cracking a computer system to send bulk spam, and sending spam fromseveral falsified accounts.

In addition, Sen. Charles Schumer (D-NY) added an amendment that wouldgive the Federal Trade Commission (FTC) the authority to create a"do-not-spam" list similar to the "do-not-call" list implemented thisfall. However, serious technical and practical questions remainregarding whether the FTC has the resources to enforce a do-not-spamlist, especially as the agency currently does not pursue individualcomplaints.

On July 18, thirteen consumer protection and public interest groups,
led by EPIC, sent a letter to Congress urging enactment of certain keyprovisions to assure strong anti-spam protection. Those provisionsincluded an opt-in system for the receipt of bulk commercial e-mails,
private rights of action, international collaboration and nopreemption of stronger state laws. None of these provisions areincluded in the Can-Spam Act; in fact, just the opposite; the Act setsout an opt-out scheme, provides for no private right of action orinternational collaboration, and preempts all state law.
In addition, the Act appears to legalize non-fraudulent spam, andincludes a very broad exception for any business that has obtained arecipient's e-mail address in any way from the recipient. The broadexceptions will likely lead to more and more businesses requiring ane-mail address to access the company's site or for any transactionwith a recipient, allowing the business to then legally spam.

A survey of state spam laws is available at:

The text of the Can-Spam Act is available at:

For background information, see EPIC's Spam Page at:

[3] Maryland Legislators Question Voting Machine Report

Two Democratic legislators in Maryland have called for an independentaudit of the computerized voting machines the state recentlycontracted to purchase from Diebold Election Systems, Inc. In aletter to the director of the Maryland Department of LegislativeServices, Sen. Paula C. Hollinger (D-Baltimore County) and Del. SheilaEllis Hixson (D-Montgomery) expressed concern that a report issued inSeptember by Science Application International Corp. (SAIC) onsecurity weaknesses in the system was not reliable and requested anunbiased examination.

Computer scientists from Johns Hopkins and Rice Universities releaseda study in July that found serious security weaknesses in Diebold'sAccu-Vote TS voting system. In response, Maryland Governor Robert L.
Ehrlich (R) commissioned a report by SAIC of San Diego to investigatethe system's integrity. The SAIC study also found that Diebold'svoting machines had serious security vulnerabilities, but went on tostate that the authors of the Hopkins study "did not have a completeunderstanding of the State of Maryland's implementation of theAccuVote-TS voting system, and the election process controls orenvironment." The SAIC study followed with recommendations for how toremedy the machines security flaws. Based on this report and stepstaken by Diebold, Governor Ehrlich gave the state the go-ahead toinstall the system, which it has begun to do.

Sen. Hollinger and Del. Hixson, however, have raised questions as tothe impartiality of SAIC, a research company that has had a standingcontract with the state government since 2002 for informationtechnology consulting. Hollinger and Hixson have called on theDepartment of Legislative Services to look into the process used toselect SAIC and to ensure that "the SAIC analysis was objective,
balanced, impartial, and free of outside influence or otherconflicts." The legislators also expressed their displeasure withtheir lack of involvement in discussing and debating the votingmachines issues that have arisen.

The Johns Hopkins Report is available at:

The Science Application International Corp. report is available at:

Gov. Ehrlich's press release on the voting systems is available at:

[4] Worldwide NGO Coalition Urges ICANN To Safeguard Privacy

More than 50 consumer and civil liberties organizations from 22countries around the world have urged Internet Corporation forAssigned Names and Numbers (ICANN) President Paul Twomey to limit theuse and scope of the WHOIS database to its original purpose (theresolution of technical network issues) and to establish strongprivacy protections based on internationally accepted privacystandards. ICANN recently met in Carthage, Tunisia, to discuss theprivacy issues surrounding the use of the WHOIS database.
ICANN is the non-profit corporation that is assuming responsibilityfrom the United States Government for coordinating certain Internettechnical functions, including the management of the Internet domainname system. WHOIS is a database that contains information for everyregistered Internet domain. It includes registrant's contactinformation (names, postal and e-mail addresses, and telephone numbersof technical, administrative and billing contacts); registrationstatus and expiration date; as well as technical information about thedomain name.

While ICANN has moved aggressively to establish accuracy requirementsfor domain name registrants, the signatories of the letter assertedthat it had failed to establish corresponding protections for personalinformation that is provided. ICANN's role is to ensure that thepolicies developed for the WHOIS database respect the privacy of everyindividual who registers Internet domains. This includes implementingreduced access, purpose specification, minimal data collection andlegitimate secondary use requirements, compatible with internationalprivacy standards. The publication of individuals' registrationinformation on the Internet through the WHOIS database cannot bemandatory, and the disclosure of WHOIS information to a lawenforcement official, or in the context of civil litigation, must bepursuant to explicit legal authority set out in statute.

The use and management of the WHOIS database without adequate dataprotection safeguards raises serious risks for domain name holders,
not only to their right to privacy, but also to their freedom ofexpression. Many users, particularly in the non-commercial world,
have valid reasons to conceal their identities while registeringdomain names. Political, cultural, and religious groups, as well asmedia organizations, non-profits and public interest groups around theworld rely on anonymous access to the Internet to publish theirmessages. Anonymity is critical for them to avoid persecution.

The main purpose of the WHOIS database should be to resolve technicalnetwork issues, the most important being the problem of unsolicitedcommercial e-mails, or "spam," the letter states. A sensible WHOISpolicy would improve contact-ability and data accuracy for networkadministrators. It would not make personal information widelyaccessible to third parties, particularly spammers, stalkers, and lawenforcement agents without proper legal authority. Such a policywould not hamper lawful criminal investigations but would insteadestablish necessary privacy safeguards, while reducing the risk thatthe widespread availability of WHOIS information will lead to greaterfraud, more spam, and jeopardize freedom of expression.

The letter to ICANN with the list of signatories is available at: (French version) (Spanish version)

Information on the ICANN meeting in Carthage is available at:

For background information, see EPIC's WHOIS page at:

[5] EU Set to Implement Privacy Directive

The Directive on Privacy and Electronic Communications (2002/58/EC),
that entered into force in July 2002, must be transposed in EuropeanUnion (EU) Member States by October 31, 2003. It provides, as ageneral rule, for the confidentiality of communications and relatedtraffic data, and prohibits, in particular, any unauthorizedlistening, tapping, storage or other type of interception orsurveillance of electronic communications by persons other than users,
without users' consent. The Directive prohibits, for example,
unsolicited commercial e-mail ("spam") without the recipient's consent(opt-in), and protects mobile phone users from precise locationtracking and surveillance. It also provides that EU Member Statesmay, for reasons of national security, defense, public security andthe prevention, investigation and prosecution of criminal offences,
enact legislation providing for the retention of traffic and locationdata by telecommunications operators.

So far Austria, Belgium, Denmark, and Italy have implemented theopt-in regime for unsolicited commercial e-mail, while eight EUcountries have adopted laws providing for the retention of trafficdata for periods ranging from three months to a year. A Council ofthe EU Framework Decision is currently being drafted that would compelevery Member State to implement EU-wide uniform data retention rulesfor periods ranging from 12 to 24 months.

The road to the implementation of Directive 2002/58 in the area ofdata retention is bumpy, as several privacy experts and EUinstitutions have criticized the concept that traffic data of allusers of electronic communications should be retained for longperiods. In January 2003, the Data Protection Working Party - Article29 recommended that electronic communications traffic data, collectedin connection with services that have been paid for, be kept for amaximum of three to six months in order to comply with EU dataprotection rules. At the International Conference of PrivacyCommissioners in Cardiff in September 2002, the European DataProtection Commissioners declared that keeping "all kinds of trafficdata for a period of one year or more would be clearlydisproportionate and therefore unacceptable in any case." A recentlegal opinion by Privacy International and the international law firmof Covington & Burling, that reviews the compatibility of dataretention provisions in Europe with the existing legal framework,
concludes that "the data retention regime envisaged by the [EU]
Framework Decision, and now appearing in various forms at the MemberState level, is unlawful" with regard to Article 8 of the EuropeanConvention on Human Rights and the case law of the European Court ofHuman Rights.

Directives are a form of EU regulation that are binding for MemberStates, but only as to the result to be achieved. They leave thenational authorities choose the form and methods of theirimplementation. The rules of law applicable in each Member State arethe national laws implementing the directives and not the directiveitself. However, the directive has a "direct effect" on individuals:
it grants them rights that can be upheld by national courts in theirrespective countries if their governments have not implemented thedirective by the set deadline.

The text of Directive 2002/58/EC is available at:

For background information, see EPIC's International Data Retentionpage at:

[6] News in Brief

The Senate will consider legislation to amend the federal Fair CreditReporting Act early next week that, if passed, will invalidate stateprivacy and identity theft laws. The legislation, S. 1753, willpermanently preempt state financial privacy laws, and bar states frompassing legislation to restrict affiliate information sharing.
Affiliate sharing represents a major threat to individuals' privacy,
as it allows banks to exchange Social Security Numbers, balances,
payment, purchase, and other information to an unlimited degree.
Large banks have sought broad affiliate sharing relationships, arguingthat it lowers costs to consumers. But a 2003 report by the FederalReserve indicates that fees at large banks are up, and the number ofservices offered are shrinking. Furthermore, provisions in thelegislation have been engineered to reduce states' ability to passidentity theft laws.

Sens. Boxer (D-CA) and Feinstein (D-CA) are supporting an amendment tothe legislation that would create an opt-out right for affiliatesharing that closely resembles consumer protections in California'sSenate Bill 1 passed earlier this year (See EPIC Alert 10.17). Abroad coalition of groups, including Consumers Union, AARP, and U.S.
PIRG, are urging individuals to contact the Senate in support of theBoxer/Feinstein Amendment.

The text of S. 1753, National Consumer Credit Reporting SystemImprovement Act of 2003, is available at:

The Federal Reserve Annual Report on Retail Fees and Services ofDepository Institutions is available at:

The Boxer/Feinstein Amendment page is at:

Consumers Union's FCRA Action Page is at:

US PIRG's FCRA Action Page is at:

For background information, see EPIC's FCRA page at:

As radio frequency identification (RFID) technology is being appliedin more and more ways, the U.S. and local governments are coming upwith their own applications and MIT is getting out of the businessaltogether. The U.S. government announced plans to employ RFID tagsin supplies for the nation's defense by 2005. The Department ofDefense presented plans earlier this month to attach RFID tags to allmilitary supplies -- from tanks and weapons to crates of food -- inorder to keep better tabs on the items. On a local level, the SanFrancisco Public Library wants to keep better watch over the city'slibrary books. The plan, also predicted to be functional by 2005,
would tag the library's 2 million books, CDs and other materials thatare accessible to patrons. Library officials assure that the tagswould be deactivated before a patron left with the books, but concernsstill linger over the retention and accessibility of the informationgenerated by the tags. Finally, MIT announced that RFID technologyhas gone beyond the university's mission. The technology, now beyondthe research stage and into the deployment stage, has been handed offto the global research company EPCglobal to oversee internationalstandards. The transfer rids MIT of not only the technology for atime, but also the barrage of public relations attacks from thoseopposed to the privacy implications.

For background information, see EPIC's RFID page at:

On October 21, the United States Postal Service proposed newrequirements for sender identification for users of "discount" mailrates. Under the system, discount mail senders would have to identifythemselves in order to "facilitate investigations into the origin ofsuspicious mail." The notice cited a report issued by the President'sCommission on the United States Postal Service that recommended asystem of "intelligent mail" for the country, one in which all senderswould be required to identify themselves on the mail piece. ThePostal Service explained that "requiring sender-identification fordiscount rate mail is an initial step on the road to intelligentmail."

On October 28, the Postal Service announced that it would withdraw thenotice requiring sender identification and reissue it, claiming thatthe notice, "has caused misunderstanding in some quarters."
Information on Sender-Identified Mail: Enhanced Requirement for
Discount Rate Mailings is available at:

The Postal Notice Announcing Withdrawal, Reissuance of Sender IDRequirements is available at:

On October 17, three ranking members of the U.S. Senate sent a letterto Secretary of Defense Donald Rumsfeld questioning the legality of agovernment contractor's transaction with JetBlue Airways.
Governmental Affairs Committee Chairman Susan Collins (R-ME) andranking Democrat Joseph Lieberman (D-CT) as well as Armed ServicesCommittee ranking member Carl Levin (D-MI) urged Rumsfeld to explainwhy a government contractor, Torch Concepts, collected more than fivemillion passenger names, addresses, phone numbers and travelitineraries from JetBlue. The Senators asked Rumsfeld whether he hadrequested an investigation of possible violation of federal privacyprotection laws by both Torch Concepts and the Department of Defense.
They believe that the database established by Torch Concepts may becovered under the Privacy Act of 1974, in which case the DOD and TorchConcepts could be in violation for failure to publish notice of thecollection and for sharing the data between agencies.

The text of the Senators' letter to Secretary Rumsfeld is available at:

For background information on the data transfer, see EPIC's PassengerProfiling page at:

[7] EPIC Bookstore: How to Get Anything on Anybody

Lee Lapin, How to Get Anything on Anybody Book 3. IntelligenceHere, 2003.

EPIC recently received a free copy of Lee Lapin's third installment of"How to Get Anything on Anybody," which is the "Bible" of privacyinvasion. The promotional materials accompanying the book poke fun atfederal investigators, pointing out that for all of their recentintelligence failures, they did find Patty Hearst. Lapin's newpublication promises to put readers "ahead of most federalintelligence agencies when it comes to cutting edge electronicsurveillance, people tracking, asset discovery and dossierassimilation."

Although the book is a step-by-step guide to committing, in somecases, illegal activity, it provides valuable insights oninvestigatory measures and on protecting privacy. Some of theinvestigatory advice is on simple social engineering, and surveillancetechniques that are known to individuals with basic knowledge ofelectronics. However, some of Lapin's tricks are brilliant,
especially in regard to avoiding privacy violations. It, forinstance, points out that in order to avoid pretexting, one shouldnever give personal information over the phone -- even confirmingone's name can provide a hook for a smart investigator to pretext. Herecommends that if a bank or other company calls, the individualshould call the business back, thereby reducing impostors' chances oftricking you into providing personal information.

Chapters in Lapin's book on "How to Hide a Message" are followed bychapters on "How to Detect Hidden Messages." The book also contains alist of 30 sources for individuals' Social Security Numbers, furtherpointing out that uncontrolled collection of the identifier raisesserious privacy risks. The book contains a list of 104 rules to liveunder the surveillance radar, which include the obvious, such as"don't sue anyone," to the more obscure, including avoiding the use oftoll-free numbers, as embedded systems transmit your name and addressto the company when you dial them.

Chris Jay Hoofnagle

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2003: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty-five countries around the world. The surveyexamines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

IAPP Privacy and Data Security Academy and Expo. October 29-31, 2003.
Chicago, IL. For more information:

Business for Social Responsibility Annual Conference - Building andSustaining Solutions. November 11-14. Los Angeles, CA. For moreinformation:

RFID Privacy Workshop. Massachusetts Institute of Technology.
November 15, 2003. Boston, Massachusetts. For more information:

Trespassing in Cyberspace. Justice Talking - National Public Radio.
November 18, 2003. Philadelphia, PA. For more information:

American Society of Access Professionals Workshop. November 18-19,
2003. St. Louis, Missouri. For more information:

Media Freedoms and the Arab World. The Arab Archives Institute.
December 6-8, 2003. Amman, Jordan. For more information: or see

WHOLES - A Multiple View of Individual Privacy in a Networked World.
Swedish Institute of Computer Science. January 30-31, 2004. Stockholm,
Sweden. For more information:

O'Reilly Emerging Technology Conference. February 9-12, 2004. SanDiego, CA. For more information:

Securing Privacy in the Internet Age. Stanford Law School. March13-14, 2004. Palo Alto, CA. For more information:

International Conference on Data Privacy and Security in a GlobalSociety. Wessex Institute. May 11-14, 2004. Skiathos, Greece. Formore information:

O'Reilly Open Source Convention. July 26-30, 2004. Portland, OR. Formore information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Problems or questions? e-mail <

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.22


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback