WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 4

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.04 [2003] EPICAlert 4


Volume 10.04 February 24, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Data Sellers May Be Liable for Sale of Personal Information
[2] EPIC Files Comments at FTC Workshop on Cross-Border Fraud
[3] Senator Proposes Domestic Spy Agency; Bush Launches Threat Center
[4] Congress Passes "Do-Not-Call" Legislation
[5] EPIC Comments on Proposed Airline Passenger Database
[6] Privacy International Seeks "Stupid Security" Contest Submissions
[7] EPIC Bookstore: Hong Kong Data Privacy Law
[8] Upcoming Conferences and Events

[1] Data Sellers May Be Liable for Sale of Personal Information

The New Hampshire Supreme Court issued an important decision onFebruary 18 in Remsburg v. Docusearch, a civil lawsuit brought againstinformation brokers and private investigators for selling personaldata about Amy Boyer to a stalker who murdered her after using thatinformation to locate her. Boyer's killer obtained information abouther through Docusearch, a data brokerage firm run by privateinvestigators, who used pretexting to obtain Boyer's employmentaddress and other information. EPIC filed an amicus brief in thecase, arguing that that private investigators and information brokersshould be liable for wrongful privacy invasions of third parties aboutwhom they are collecting and disseminating information.

The court held that private investigators and information brokers havea duty to exercise reasonable care when the sale of personalinformation creates a risk to the individual being investigated. Thecourt found that stalking and identity theft are two foreseeable harmsthat give rise to the duty to exercise care. In a significantexpansion of privacy protection, the court held that the investigatorscould be liable for damages resulting from the sale of informationobtained through pretexting. This holding exceeds federal protectionsagainst pretexting phone calls, which were enacted with the passage ofthe Gramm-Leach-Bliley Act. Finally, the court held that individualsmay have a tort cause of action against investigators who purchasetheir Social Security Numbers (SSNs) from credit reporting agencieswithout permission. The court noted, "While a SSN must be disclosedin certain circumstances, a person may reasonably expect that thenumber will remain private."

Now that the New Hampshire Supreme Court has ruled, the case will beremanded to a federal district court where a trial will proceed todetermine whether Docusearch and the other defendants were actuallyliable for Amy Boyer's death.

New Hampshire Supreme Court Decision in Remsburg v. Docusearch:

EPIC's Amicus Brief:

EPIC's Amy Boyer Case Page:

Amy Boyer Memorial and Informational Web Site:

[2] EPIC Files Comments at FTC Workshop on Cross-Border Fraud

On February 20, the Federal Trade Commission (FTC) explored "PotentialPartnerships Among Consumer Protection Enforcement Agencies andInternet Service Providers and Web Hosting Companies" and "CooperationBetween Consumer Protection Enforcement Agencies and DomainRegistration Authorities" as two panels of a public workshop onpartnerships against cross-border fraud. EPIC submitted statementsfor inclusion in both of these panels.

In the "Potential Partnerships" panel, the discussion first focused ontrying to assess how Internet Service Providers (ISPs) and Web hostingcompanies could more efficiently share their subscribers' personalinformation with the FTC and foreign law enforcement authorities inthe context of cross-border fraud. EPIC's statement asserted that theFTC's foremost role is to protect consumers' privacy, and that thedebate should be refocused to concentrate less on how privacy rulesmay represent a hurdle for law enforcement and more on how the FTCcould articulate its law enforcement activities with the task ofprotecting the privacy of defrauded consumers. To develop cooperationand information-sharing partnerships between the public and privatesectors in the context of consumer fraud investigations, EPICrecommended to the FTC that the Organization for Economic Cooperationand Development (OECD) Privacy Guidelines be used as a trans-nationallegal framework to protect the privacy of consumers in the context ofthe international transfer of personal information. Because suchguidelines have served as a model for several national data protectionlaws, they should foster consumer confidence by providing strongprinciples for the protection of consumer privacy. EPIC's statementalso addressed many of the privacy implications of cross-bordertransfers of personal information in consumer fraud investigations.

During the panel on "Cooperation Between Consumer ProtectionEnforcement Agencies and Domain Registration Authorities", the FTCconsidered the expanded use of information about Internet domain nameregistrants for law enforcement purposes. In particular, theCommission explored how domain registrars and registries could improvethe accuracy of WHOIS data in the generic top-level domains. WHOISdata consists of domain name registrants' contact information,
administrative contact information, and technical contact information
-- all of which include mailing address, email address, telephonenumber, and fax number -- as well as domain name, domain servers, andother information. This data is globally, publicly accessible. EPICrecommended that the FTC address the privacy, free speech, andconsumer fraud implications of requiring domain name registrants toprovide accurate personal information. EPIC also emphasized that theFTC plays a critical role both in investigating consumer fraud andprotecting consumers from fraud. Specifically, the FTC advisesconsumers not to disclose personal information, and if consumerschoose to disclose personal information, they should know who iscollecting the information, why the information is being collected,
and how it is going to be used. EPIC argued that the same criteriashould be applied to WHOIS data.

EPIC's statement on "Potential Partnerships Among Consumer ProtectionEnforcement Agencies and Internet Service Providers and Web HostingCompanies":

EPIC's statement on "Cooperation Between Consumer ProtectionEnforcement Agencies and Domain Registration Authorities":

FTC public workshop on "Public/Private Partnerships to Combat Cross-
Border Fraud":

[3] Senator Proposes Domestic Spy Agency; Bush Launches Threat Center

On February 13, Senator John Edwards (D-NC) introduced a bill, S. 410,
that would authorize the creation of a "Homeland Intelligence Agency."
The bill, titled the "Foreign Intelligence Collection Improvement Actof 2003," would create a domestic intelligence agency modeled afterBritain's MI5 Security Service, but would incorporate what arecharacterized as innovative civil liberties safeguards. Sen. Edwardsargues that the law enforcement and intelligence gathering functionsof the Federal Bureau of Investigation (FBI) are fundamentallyinconsistent, and that the country needs an agency focused solely ondomestic intelligence. The proposed agency would take over theintelligence functions of the FBI and would also obtain control overthe domestic intelligence functions of the Central Intelligence Agency(CIA), National Security Agency (NSA), and other intelligenceagencies.

To balance the unprecedented centralization of domestic surveillancepower, S. 410 proposes a system of rigorous internal auditing,
enhanced public reporting and congressional oversight. The HomelandIntelligence Agency would have an Office of Privacy and CivilLiberties Protection, along with an independent Citizens AdvisoryBoard, to monitor the operations of the agency. The bill proposesthat the Privacy Act's Fair Information Practices would apply to thecollection of intelligence information and that the agency wouldconduct privacy impact assessments for its surveillance proposals. Italso promises strong guidelines on data mining activities.

The Foreign Intelligence Collection Improvement Act is predicated ontwo assumptions: that a law enforcement agency cannot and should nothave intelligence capabilities, and that there is a need for greaterdomestic intelligence gathering power. It is not clear, however, thateither of these assumptions holds true. While Congress is unlikely toact upon the bill in the near term, it provides a concrete alternativesolution to the debate about how to conduct lawful domesticintelligence gathering. Such proposals need to be analyzed carefullyon their merits for potential ideas and problems.

Responding to criticisms about inadequate cooperation between thevarious intelligence agencies, the White House announced the creationof the Terrorist Threat Information Center (TTIC) on January 28.
According to the press release, the TTIC will be implemented in threephases. In its initial stage, TTIC will primarily focus on theproduction of integrated terrorist threat analysis for seniorpolicymakers. In the second phase of implementation, TTIC will be theprincipal gateway for policymaker requests for analysis of potentialterrorist threats to U.S. interests, and will maintain a database ofknown and suspected terrorists. In its final stage, TTIC will serveas the hub for all terrorist threat-related analytic work. TTIC willbe located in a facility separate from CIA and FBI Headquarters, butwill be under the Director of Central Intelligence. The FBI,
meanwhile, is establishing an intelligence program to ensure that thecollection and dissemination of intelligence is given the sameinstitutional priority as the collection of evidence for prosecution.
A new Executive Assistant Director for Intelligence will be givendirect authority and responsibility for the FBI's nationalintelligence program.

S. 410, Foreign Intelligence Collection Improvement Act of 2003:

Fact Sheet, Strengthening Intelligence to Better Protect America:

[4] Congress Passes "Do-Not-Call" Legislation

Congress has passed legislation to implement the Federal TradeCommission's Do-Not-Call (DNC) list. The legislation, H.R. 395,
the Do-Not-Call Implementation Act, passed by unanimous consent in theSenate, and by a 418-7 vote in the House. The measure was sponsoredby House Energy and Commerce Committee Chairman Billy Tauzin (R-LA).

The FTC will now move forward with implementation of its DNC list. Itis expected to be operational by Fall 2003. However, to prevent itsoperation, the telemarketing industry has filed suit challenging thelist. That case, US Security v. FTC, was filed on January 29, 2003, infederal court in Oklahoma.

The legislation now goes to the White House, where it is predictedthat President Bush will sign the bill.

H.R. 395 is available at:

EPIC's Telemarketing Page:

[5] EPIC Comments on Proposed Airline Passenger Database

EPIC has submitted comments on a Transportation SecurityAdministration (TSA) proposal to create a new database of AviationSecurity Screening Records on all airline passengers. This proposeddatabase was disclosed for the first time in a Privacy Act noticepublished in the Federal Register on January 15, 2003. EPIC arguedthat the notice did not provide sufficient information for the publicto contribute meaningfully to this rule-making procedure. In fact,
the TSA has resisted requests EPIC brought under the Freedom ofInformation Act (FOIA) to provide public access to relevantinformation in the agency's possession about the TSA proposal.

According to the Federal Register notice, the TSA proposes to collectpassenger manifest information on all airline travelers and store itin a large centralized database. The manifest information includes"Passenger Name Records (PNR) and associated data." This includesdate and time of flights, flight number, destination, reservationinformation, and payment information. According to the notice, theTSA would store the records until the "completion of the individual'sair travel to which the record relates." The TSA also proposes tocollect and store data on "individuals who are deemed to pose apossible risk to transportation or national security." If a person isdetermined to be a "risk" under this opaque (and possibly arbitraryand/or discriminatory) procedure, the data will be stored for 50years. The TSA, to date, has provided absolutely no information abouthow a passenger is determined to be a "possible risk to transportationor national security." They also give no information about how such aperson might become aware of his or her categorization, and how thatcategorization might be legally challenged. Indeed, one could arguethat simply purchasing a ticket makes an individual a "possible" riskto transportation. The TSA proposes that if a person is determined tobe a risk, the database will also be populated by detailed data aboutthat person, including "risk assessment reports; financial andtransactional data; public source information; proprietary data; andinformation from law enforcement and intelligence sources."

EPIC has requested that the TSA answer the following questions toenable better informed public comments on the merits of theirproposal:

(a) What is the aim of the Passenger Database? Is it the foundation of CAPPS-II (the TSA's data mining initiative similar Total Information Awareness) or is it an integrated watch list?

(b) What procedure will determine if a person is a "risk"?

(c) How does a person become aware of being tagged as a "risk"?

(d) How can that determination be legally challenged? and
(e) what specifically are the policy and security safeguards to protect the Passenger Database?

The comments also discussed the privacy and security risks of theCAPPS-II initiative and the need for greater transparency for theother projects that are currently being pursued by the TSA.

EPIC's Comments:

DOT Electronic Docket:

[6] Privacy International Seeks "Stupid Security" Contest Submissions

Privacy International, a privacy watchdog group based in London, is ona quest to find the world's most "stupid" security measure. In orderfor a particular security measure to be considered "stupid," it shouldbe one or more of the following: pointless, intrusive, annoying, orself-serving.

The "Stupid Security" award aims to highlight the absurdities of thesecurity industry. Privacy International director Simon Davies saidthe group had launched the contest as a result of numerous securityinitiatives around the world that had absolutely no genuine securitybenefit.

The competition is open to everyone, and will be judged by a panel ofwell-known security experts, public policy specialists, privacyadvocates, and journalists. Nominations will be accepted until March15, 2003. Winners will be announced at the 13th Annual Computers,
Freedom & Privacy conference in New York on April 3, 2003.

For more information, see:

Nominations can be sent to:


[7] EPIC Bookstore: Hong Kong Data Privacy Law

Mark Berthold and Raymond Wacks, "Hong Kong Data Privacy Law:
Territorial Regulation in a Borderless World" (Thomson, Sweet &
Maxwell Asia 2002)

It may surprise some in the West to learn that Hong Kong has one ofthe most advanced privacy laws in the world. But to those in the dataprotection field, the Hong Kong Data Privacy Law is a well known modelfor the protection of information privacy in the modern era. TheOrdinance, as it is called, is derived from both the European UnionData Directive and international norms for privacy protection,
including Article 12 of the Universal Declaration of Human Rights andArticle 19 of the International Covenant on Civil and PoliticalRights.

This is also a privacy law with teeth. As Raymond Tang (the currentPrivacy Commissioner for Personal Data) notes, the Ordinance has beenthe subject of over 98,000 inquiries, 3,400 investigations, and 55appeals before the statutory Administrative Appeals Board. This is aprivacy law that requires careful study, and this new text fromThomson delivers.

Mark Berthold and Raymond Wacks have set out an extraordinarily usefuloverview of privacy law in Hong Kong and also the larger issues ofprivacy protection in the online world. The book details theoperation of the Hong Kong Data Privacy Ordinance. It provides usefulinterpretation of key provisions, as well as reports and analysis ofvarious cases decided under the law. Researchers, practitioners, andconsumer advocates will find the text invaluable.

Berthold and Wacks have also made a significant contribution to thelarger study of privacy protection in a borderless world. The textexplores the impact of the Internet as well as the varioustechnologies that both enhance and undermine privacy. In the finalchapter the authors consider a range of important matters for policymakers around the world -- drafting privacy law, developing codes ofpractice, understanding the role of the privacy commissioner --
drawing often on the experience of Hong Kong and its own law. Theirconclusion has universal application: "A well drafted, properlyenforced and socially accepted data privacy regime provides aconstruct and valuable means by which to check the relentless, but farfrom inevitable, assault on our personal data and privacy."

- Marc Rotenberg

Office of the Privacy Commissioner for Personal Data, Hong Kong:

EPIC / Privacy International, "Privacy and Human Rights: AnInternational Survey of Privacy Law and Developments" 196-205(EPIC 2002) (Discussion of Hong Kong)

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

** Uniting Privacy and the First Amendment in the 21st Century **

May 9-10, 2003Oakland, CA
EPIC, the First Amendment Project, and the California Office ofPrivacy Protection are sponsoring this activist symposium designed toexplore the interplay between privacy and First Amendment rights, withthe goal of developing strategies for optimizing both.

If you are interested in making a presentation or leading a WorkingGroup, please submit a letter outlining your proposed presentation andincluding a brief explanation of the issue to be addressed, a list ofpossible presenters, and the desired outcome of the session to:

For more information:

Third Annual Privacy & Data Security Summit: Implementing & ManagingPrivacy in a Complex Environment. International Association of PrivacyProfessionals. February 26-28, 2003. Washington, DC. For moreinformation:

Quality Labels for Web Sites: Alternative Approaches to Content Rating.
Programme in Comparative Media Law and Policy (PCMLP), OxfordUniversity. February 27, 2003. Kirchberg, Luxembourg. For moreinformation:

The Law and Technology of DRM: What will DRM technologies mean for thefuture of information? University of California, Berkeley, School ofInformation Management and Systems and Boalt Hall School of Law.
February 27 - March 1, 2003. Berkeley, CA. For more information:

Legal and Pedagogical Aspects of a Safer Internet. Safer Internet ForKnowing and Living (SIFKaL). February 28, 2003. Kirchberg, Luxembourg.
For more information:

Spectrum Policy: Property or Commons? Stanford Law School Center forInternet and Society. March 1, 2003. For more information:

Improving Identification: Enhancing Security, Guarding Privacy. TheCommunitarian Network. March 6, 2003. Washington, DC. For moreinformation: <>

Identity Theft: Current Enforcement and Prevention Efforts. New YorkCity Bar Association, Committee on Consumer Affairs. March 12, 2003.
New York, NY. For more information: <>

P&AB's Privacy Practitioners' Workshop and Ninth Annual NationalConference. Privacy & American Business. March 12-14, 2003.
Washington, DC. For more information:

Big Brother Technologies. A Choices and Challenges Forum. Center forInterdisciplinary Studies, Virginia Polytechnic Institute and StateUniversity. March 27, 2003. Blacksburg, VA. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information:

28th Annual AAAS Colloquium on Science and Technology Policy. AmericanAssociation for the Advancement of Science. April 10-11, 2003.
Washington, DC. For more information:

Integrating Government With New Technologies '03: E-Government, Changeand Information Democracy. Riley Information Services. April 11, 2003.
Ottawa, Canada. For more information:

RSA Conference 2003. RSA Security. April 13-17, 2003. San Francisco,
CA. For more information:

Building the Information Commonwealth: Information Technologies andProspects for Development of Civil Society Institutions in theCountries of the Commonwealth of Independent States.
Interparliamentary Assembly of the Member States of the Commonwealthof Independent States (IPA). April 22-24, 2003. St. Petersburg,
Russia. For more information:

O'Reilly Emerging Technology Conference. April 22-25, 2003. SantaClara, CA. For more information:

Mid Canada Information Security Conference. Information ProtectionAssociation of Manitoba. April 30, 2003. Winnipeg, Manitoba, Canada.
For more information:

Technologies for Protecting Personal Information. Federal TradeCommission. Workshop 1: The Consumer Experience. May 14, 2003.
Workshop 2: The Business Experience. June 4, 2003. Washington, DC. Formore information:

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. Formore information:

Privacy2003. Technology Policy Group. September 30 - October 2, 2003.
Columbus, OH. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

** Receive a free Observing Surveillance conference poster withdonation of $75 or more! **

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.04


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback