WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 25

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.25 [2003] EPICAlert 25


Volume 10.25 December 17, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Submits Amicus Brief in Supreme Court ID Case
[2] President Signs Credit Reporting Bill
[3] UN Summit Tackles Human Rights in the Information Society
[4] EPIC Testifies Before 9/11 Commission
[5] President Signs "CAN-SPAM" Legislation
[6] News in Brief
[7] EPIC Bookstore: Internet Law - The Complete Guide
[8] Upcoming Conferences and Events

[1] EPIC Submits Amicus Brief in Supreme Court ID Case

EPIC has filed a "friend of the court" brief in Hiibel v. Nevada, acase in which the U.S. Supreme Court will determine whether anindividual may refuse to identify himself to police when there is nolegal basis for an arrest. Ten scholars and technical experts joinedEPIC in urging the Court to ensure that police are not permitted touse stop-and-frisk situations for fishing expeditions throughgovernment computer databases.

The case involves a challenge to the constitutionality of NevadaRevised Statute Sec. 171.123(3), which allows a police officer todetain a person to ascertain his identity when there are circumstancesreasonably indicating that person has committed a crime. AppellantLarry Hiibel appealed the Nevada Supreme Court's determination thatthe challenged law is consistent with guarantees against unreasonablesearch and seizure protected by the Fourth Amendment because it"strikes a balance between constitutional protections of privacy andthe need to protect police officers and the public." Hiibel alsoargues that the law violates the Fifth Amendment protection againstself-incrimination.

EPIC's brief approaches the case from a technical perspective,
surveying the capabilities and flaws of several existing governmentinformation systems: the National Crime Information Center (NCIC), theMulti-State Anti-Terrorism Information Exchange (MATRIX), the UnitedStates Visitor and Immigrant Status Indicator Technology System(US-VISIT), the Driver And Vehicle Information Database (DAVID), andthe Transportation Workers Identification Credential (TWIC). Thebrief explains how such systems may be used by law enforcement toengage in public surveillance.

Oral argument in Hiibel v. Nevada is expected next spring.

EPIC's amicus brief is available at:

For background information, see EPIC's Hiibel v. Nevada page at:

[2] President Signs New Credit Reporting Bill

President Bush has signed H.R. 2622, the Fair and Accurate CreditTransactions Act of 2003. The Act was quickly moved through Congressthis session in order to preempt state laws that could requireheightened privacy protections. It amends the Fair Credit ReportingAct, the first federal privacy law, which was passed in 1970 in anattempt to curb abusive credit reporting practices.

While the Act will limit states' ability to pass laws in certainareas, the new legislation does contain new privacy and consumerprotections. The Act requires the Federal Trade Commission (FTC) tocreate a streamlined process for individuals to obtain one free creditreport annually. Credit reporting agencies will be required todisclose credit scores, but they may charge a fee for their provision.

Prescreening is further limited by the Act. Prescreened offers ofcredit must contain a conspicuous notice of the right to opt-out, andthe toll-free number for doing so (888-5-OPTOUT). Individuals willhave a new right to opt-out of marketing solicitations that flow fromaffiliate sharing of personal information. The opt-out will last forfive years, at which time the company must issue a new notice andopportunity to opt-out. Medical information is further protectedunder the Act. Medical information must be coded to obscureproviders' names and the nature of services.

When reporting negative information to a credit reporting agency, suchas a delinquency or default in payments, financial services companiesmust give notice to the consumer.

The Act allows individuals to file fraud alerts, which require creditreporting agencies to inform others that fraud may be present. IDtheft victims also can request transaction records when businesseshave extended credit to an impostor.

The Act extends the time in which individuals can bring suit. Suitscan be filed up to two years following the discovery of a violation,
or five years following the date of the violation, whichever isearlier.

108 H.R. 2622, The Fair and Accurate Credit Transactions Act of 2003is available at:

For background information, see EPIC's FCRA Page at:

For background information, see EPIC's Preemption Page at:

[3] UN Summit Tackles Human Rights in the Information Society

Representatives from governments, business, and civil society groupsaround the world met last week at the World Summit on the InformationSociety (WSIS) in Geneva. Human rights (including privacy and freeexpression), online security (including intellectual propertyregulation), and Internet governance were all discussed at the GenevaSummit. Civil society groups urged national governments to safeguardhuman rights and to promote full participation in the informationsociety. Representatives adopted a Declaration of Principles and aPlan of Action, which will be examined again in Tunisia in November of2005.

Many members of civil society have been working inside the Summitprocess insisting on the inclusion of privacy and human rightsprotections. On December 8, the Civil Society Plenary of the WSISunanimously adopted its own declaration called, "Shaping InformationSocieties for Human Needs: Civil Society Declaration to the WorldSummit on the Information Society." The members believe that theDeclaration and Plan of Action as drafted prior to the Summit did notadequately protect free expression, narrowly focused on Internetpolicy, and over-emphasized law enforcement interests.

The Human Rights Caucus reported from the Summit that their activityboth inside and outside the Summit has been successful with regards tothe final Declaration and Plan of Action. According to the Caucus,
"The essential principles of universality and indivisibility arereiterated and there are references to the Universal Declaration ofHuman Rights as well as to the Vienna Declaration and the UN Charter."
The document also includes the full extent of Article 19 of the UDHR,
which had been at issue. However, as the Caucus reports, much of theDeclaration is not focused on human rights but rather on the creationof a "global culture of cyber-security" with interest in global traderather than on human rights. According to the Caucus, "The discussionaround security would have been enhanced by a clear understanding thattrue security can only be achieved by measures that are fullycompatible with international human rights and particularly the rightto privacy."

Control of the Internet was also a hot topic on the agenda. TheInternet is currently administered by the Internet Corporation forAssigned Names and Numbers (ICANN), a group established by the U.S.
Commerce Department. The U.S. has not been proactive in a movement tohelp poorer countries gain access to the Internet, which would requiremoney from industrial nations. Many representatives, particularlythose from developing nations, are therefore in favor of a moreinternational body such as the United Nations to take administrativecontrol of the Internet. This adjustment was not made at the Summit.
However, the delegates agreed that a UN working group should be set upto examine whether to introduce more international oversight of theInternet's semiformal administrative bodies. Another United Nationscommittee will be established to review ways of paying for efforts toconnect the poorer populations to the Internet.

Privacy protection of civil society representatives attending theSummit was called into question by a study highlighting technologyused in Summit security. Independent researchers attending the eventrevealed security and privacy flaws in the security system used tocontrol access to the Summit. Security badges issued to participantscontained SmartCards and Radio Frequency Identification (RFID). Suchtechnology can be triggered remotely without the cardholder noticingand allowed cardholders to be tracked in their attendance at theSummit. When participants were required to obtain security badges,
they were not informed of the possible surveillance and were notprovided with any information on privacy policies and procedures.

The second phase of the World Summit on the Information Society willtake place in Tunisia, from November 16-18, 2005. There will be apreparatory meeting in the first half of 2004 to review both theissues needing focus in Tunisia and the structure of the process. Themeetings in Geneva and the follow-up to the Declaration and Plan ofAction in Tunisia in 2005 will help shape the future of theInformation Society.

The WSIS Declaration of Principles and Plan of Action is available at:

Information on the Civil Society Declaration is available at:

For background information, see EPIC's RFID page at:

[4] EPIC Testifies Before 9/11 Commission

EPIC Executive Director Marc Rotenberg testified before the NationalCommission on Terrorists Attacks in a public hearing on December 8.
The commission is an independent, bipartisan group created by Congressto investigate the circumstances surrounding the September 11terrorist attacks and examine ways to prevent future attacks.
Rotenberg was invited to speak before the commission in a session on"Security and Liberty." His panel, which was charged with discussingthe protection of privacy while preventing terrorism, also includedformer Department of Defense General Counsel Judith A. Miller, andStewart A. Baker, former General Counsel of the National SecurityAgency.

In his statement, Rotenberg emphasized the important history ofprivacy protection, the problems with new systems of surveillance, andthe specific need to preserve Constitutional checks and balances. Hebegan by discussing the development of privacy law in the U.S. andunderscoring the important role such laws play in protectingindividual rights. Rotenberg also pointed out that "much of thediscussion about the expansion of government surveillance authoritypost 9-11 has failed to recognize that under our form of government,
there are critical checks and balances that must be respected." Newlaws and security proposals the U.S. has considered since September 11extend government powers of surveillance while rolling back importantsafeguards Congress previously had established to protect the privacyof citizens, Rotenberg argued.

Rotenberg went on to discuss the affects of new technology onindividual privacy. He pointed out that there are many ways newtechnology can be employed without jeopardizing privacy. However, theU.S. has been intent upon employing a host of new systems ofsurveillance to monitor its citizens that are highly privacy invasive.
Rotenberg expounded on two systems in particular -- Total InformationAwareness (TIA) and the Computer Assisted Passenger PrescreeningSystem (CAPPS II). He criticized both systems for not adequatelyfollowing federal privacy regulations nor considering privacyconcerns, and suggested that these systems would hurt, not help, theAmerican people.

Finally, Rotenberg proposed a set of recommendations to thecommission, urging it to consider privacy concerns when formulatingits report to Congress. Specifically, he underscored the importantrole privacy law has played and continues to play in safeguardingcitizens and warning that high-tech surveillance systems beingconsidered in our country pose an immense threat to society,
especially if not properly monitored or held accountable.

Rotenberg's statement is available at:

Information on the National Commission on Terrorist Attacks isavailable at:

For background information, see EPIC's Total Information Awarenesspage at:

For background information, see EPIC's Passenger Profiling page at:

[5] President Signs "CAN-SPAM" Legislation

Congress acted swiftly in passing S. 877, the Controlling the Assaultof Non-Solicited Pornography and Marketing Act of 2003, known as the"CAN-SPAM" Act. The Act creates new penalties for sending deceptivespam advertising, but does not "can" truthful unsolicited commerciale-mail. The Act allows every spammer in the world to send everyInternet user at least one message. The Act does not address listbrokerage, the source of the majority of unwanted advertising.
Furthermore, the Act supercedes state laws, thereby eliminatingstronger protections against spam in many states, including individualrights of action against spammers, and a California opt-in spam lawwhich would have taken effect on January 1.

The Act defines spam as any message where the "primary purpose" is the"commercial advertisement or promotion of a commercial product orservice." In twelve months, the Federal Trade Commission (FTC) mustissue criteria to determine the "primary purpose" of a message.
"Transactional or relationship" messages, that is, messages foraccount maintenance, product recall or safety information, or thosenecessary to complete a sale initiated by the recipient, are exemptedfrom some provisions of the Act.

Spam must include notice that the message is an advertisement orsolicitation, an opt-out notice, and a valid postal address of thesender. If the recipient opts out of the spam, the sender has tendays to stop spamming. Address harvesting and dictionary attacks areillegal under the Act, but these practices are considered aggravatingoffenses, and they cannot serve as the sole basis of prosecution of aspammer.

The Act prohibits falsification of transmission information anddeceptive subject headings. The Act creates criminal prohibitionsagainst those who knowingly transmit spam through others' computerswithout authorization. Also, the FTC may pursue individuals whoknowingly hire others to send deceptive spam. However, these andother criminal provisions are encumbered by unusually burdensomelitigation requirements. For instance, the prohibition on deceptivesubject headings would require the government to prove in court thatthe sender knew that the message would mislead a reasonable recipient.

Spam with "sexually oriented" material must be labeled with a noticethat will be developed by the FTC and the Attorney General within sixmonths.

The Act gives the FTC the authority to create a do-not-spam registry.
The agency must issue a report to Congress on the feasibility of sucha registry within six months, and may implement it three months afterthe report.

Enforcement of the Act is limited to the FTC, state attorneys general,
and Internet Service Providers. Some individuals may be able toqualify as Internet Service Providers, and bring lawsuits under theAct. But, damages are capped, and spammers can obtain a reduction infines if they can show implementation of "reasonable practices" toavoid violation of the Act. Earlier this year, the Internet Committeeof the National Association of Attorneys General described thisreduction in fines as "unprecedented in consumer protection law" and"an additional barrier to enforcement."

The CAN-SPAM Act of 2003 is available at:

The letter from the NAAG Internet Committee Objecting to CAN-SPAM isavailable at:

For background information, see EPIC's Spam page at:

[6] News in Brief


The European Commission has temporarily agreed to provide the UnitedStates with information on its airline passengers traveling to theU.S. EU Commissioner Frits Bolkestein worked out the final details ofthe agreement Monday with U.S. Department of Homeland SecuritySecretary Tom Ridge. Pursuant to what is now only a temporaryarrangement, U.S. authorities would legally get access to passengername records (PNR) of travelers from Europe subject to a fewsafeguards: the period during which data would be retained is 3 1/2years (down from 50 years); the fields of PNR transferred to the USwould be limited to 34 (it would include fields such as passenger1sname and address, credit card information, telephone number and travelcompanions); the passenger data, once disclosed in the U.S., couldonly be used against terrorism and to prosecute crimes of atransnational nature; E.U. passengers would have the right to complainbefore their national data protection authorities if the DHS fails toproperly resolve their complaints; and a US-EU joint annual jointreview would be carried out to assess how the U.S. implement theagreement. The deal comes after a year of negotiations in which theU.S. has sought expansive access to EU passenger information as a partof its war on terrorism. The agreement may still violate Europeanprivacy laws and faces opposition from the European Parliament.

The statement of the European Commission is available at:

The speech by Frits Bolkestein before the European Parliament isavailable at:

For background information, see EPIC's EU-U.S. Airline PassengerData page at:

The 3rd U.S. Circuit Court of Appeals has decided that an employer whoaccessed his employee's e-mails in computer storage did not violatethe Electronic Communications Privacy Act (ECPA). In the case ofFraser v. Nationwide Mutual Insurance Co., the court ruled that theECPA only bans interception of email if it occurs at the time of thetransmission, thus allowing the owner of the email system to view anystored e-mail it wishes. "Every circuit court to have considered thematter has held that an 'intercept' under the ECPA must occurcontemporaneously with transmission," wrote Judge Thomas L. Ambro inthe majority opinion. Ambro found that ECPA prohibits "seizures" ofstored e-mails but includes an exception for seizures authorized "bythe person or entity providing a wire or electronic communicationsservice."

The 3rd Circuit Court's opinion in Fraser v. Nationwide MutualInsurance Co. is available at:

For background information, see EPIC's Workplace Privacy page at:

President Bush signed H.R. 2417, the Intelligence Authorization Actfor Fiscal Year 2004, into law on December 13. The Act authorizesappropriations for intelligence-related activities of various federalagencies, including the Department of Defense, Department of HomelandSecurity, and Federal Bureau of Investigation (FBI). A provisionadded to the bill in committee in mid-November, after the bill hadbeen passed by the House and Senate, expands FBI authority to seizerecords in terrorism investigations. The Act permits the FBI todemand records without judicial approval from car dealers,
pawnbrokers, travel agents, casinos, and other businesses.

The text of H.R. 2417 is available at:

The committee report is available at:

The Gilmore Commission, also known as the Advisory Panel to AssessDomestic Response Capabilities for Terrorism Involving Weapons of MassDestruction, released its fifth and final annual report to thePresident and Congress on December 15. Among the Commission'srecommendations is the creation of a bipartisan board to provideoversight on homeland security activities that may impinge upon civilliberties. According to the report, such a board is necessary becauseof the "potential chilling effect" of government surveillanceconducted for homeland security purposes. The Committee alsorecommends the establishment of a domestic intelligence agencyresponsible for collecting and analyzing information related toterrorist threats within the United States. Since its inception, theCommittee has made 144 recommendations, 125 of which have been adoptedby Congress and government agencies.

The Gilmore Commission's homepage is available at:

The Gilmore Commission's Fifth Annual Report is available at:


A new study by the National Community Reinvestment Coalition has foundthat discrimination is widespread in home lending, resulting in"African-American and predominately elderly communities receiv[ing] aconsiderably higher level of high cost subprime loans than isjustified based on th[eir] credit risk." Traditionally, lenders haveargued that credit scoring systems allow lending decisions to be madein a colorblind fashion. However, the study, which controlled forrisk and housing market conditions, found that race and age werestrongly correlated with unfair, high-cost sub-prime lending.

Race and Age Discrimination in Lending Documented, National CommunityReinvestment Coalition, December 2003, is available at:


EPIC has obtained a message under the Freedom of Information Act fromthe American Embassy in Mexico to U.S. government officials regardingthe acquisition of Mexicans' personal information by ChoicePoint. Themessage alerted the White House, the Department of Homeland Securityand other agencies that Mexican newspapers and political leadersobjected to the transfer of voting and driving records to ChoicePoint,
and warned that "a potential firestorm may be brewing." In April2002, documents obtained by EPIC revealed that the Immigration andNaturalization Service contracted with ChoicePoint to obtain citizenregistry, motor vehicle, and other information for Brazil, Argentina,
Mexico, Columbia, and Costa Rica. These documents led to calls forinvestigations in several countries (See EPIC Alert 10.08).

The message From the American Embassy in Mexico to Washington isavailable at:

Records Showing INS Purchase of Information on Latin and CentralAmericans are available at:


EPIC has urged the Federal Communications Commission to address theprivacy implications of Voice over Internet Protocol (VoIP), atechnology that enables Internet telephony. In a letter to theagency, EPIC recounted the FCC's past actions to protect privacy, andargued that the adoption of genuine privacy practices will acceleratethe adoption and security of Internet telephony. Specifically, EPICrequested that the FCC create "technical and legal safeguards toprotect communications traffic (content and routing information) anduser location information, and to ensure that those expert in privacylaw and regulation participate in the work of the FCC on VOIP."

The EPIC VoIP Letter is available at:

The FCC VoIP Forum is available at:

[7] EPIC Bookstore: Internet Law - The Complete Guide

Steven D. Imparl, Internet Law - The Complete Guide (SpecialtyTechnical Publishers, Canada 2003) (available in loose-leaf binder andCD-rom, 4 updates per year).

This 3-volume guide very clearly outlines the most important rules inthe field of Internet law. Its sections on children1s privacy,
consumer protection laws, advertising and telemarketing lawsapplicable to online and offline commerce, workplace privacy, andunsolicited e-mail are completed with very useful checklists forprofessionals and consumers alike. Each section is completed byup-to-date references to regulations in force, Internet resources, andindexes of relevant case law and statutes. The 3Internet Law - TheComplete Guide2 offers practical advice to privacy and consumerprotection practitioners, consultants and advocates, as well asconsumers.

- Cédric Laurant

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2003: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty-five countries around the world. The surveyexamines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

WHOLES - A Multiple View of Individual Privacy in a Networked World.
Swedish Institute of Computer Science. January 30-31, 2004. Stockholm,
Sweden. For more information:

The New Fair Credit Reporting Act. Privacy & American Business.
February 9-10, 2004. Washington, DC. Email

O'Reilly Emerging Technology Conference. February 9-12, 2004. SanDiego, CA. For more information:

IAPP 4th Annual Privacy & Security Summit & Expo. February 18-20,
2004. Washington, DC. For more information:

RSA Conference 2004 - The Art of Information Security. February23-27, 2004. San Francisco, CA. For more information:

Securing Privacy in the Internet Age. Stanford Law School. March13-14, 2004. Palo Alto, CA. For more information:

International Conference on Data Privacy and Security in a GlobalSociety. Wessex Institute. May 11-13, 2004. Skiathos, Greece. Formore information:

O'Reilly Open Source Convention. July 26-30, 2004. Portland, OR. Formore information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Problems or questions? e-mail < >

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.25


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback