WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 6

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.06 [2003] EPICAlert 6


Volume 10.06 March 26, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] PATRIOT Act Secrecy Challenged; DoD Appeals EPIC FOIA Victory
[2] EPIC Testifies at European Parliament on Air Travel Privacy
[3] Senate Wants Answers on Controversial Air Security System
[4] EPIC Launches FOIA Gallery; Issues Privacy Report on WHOIS
[5] Data Industry Initiates Anti-Privacy Credit Campaign
[6] News in Brief
[7] EPIC Bookstore: The Naked Society
[8] Upcoming Conferences and Events

[1] PATRIOT Act Secrecy Challenged; DoD Appeals EPIC FOIA Victory

In a legal memorandum filed with the federal court in Washington onMarch 21, EPIC and the American Civil Liberties Union, joined bylibrary and booksellers' organizations, challenged the JusticeDepartment's refusal to disclose basic, statistical informationconcerning implementation of the controversial USA PATRIOT Act. Thegroups argue that the withheld information is critical to the public'sability to evaluate the new surveillance powers; to determine whetherthe government is using the new powers appropriately; to determinewhether the new powers should be renewed before they "sunset" in 2005;
and to determine whether further expansion of the government'ssurveillance authority is warranted.

FBI documents that have been disclosed through the Freedom ofInformation Act lawsuit reveal that the Bureau is aggressively using asweeping power that -- without the approval of a judge -- allows thegovernment to force banks, Internet service providers, telephonecompanies, and credit agencies to turn over their customers' records.
Through the issuance of "National Security Letters" (NSLs) thegovernment can obtain records about people living in the United States(including American citizens) without probable cause that the personhas committed any crime. Entities that are required to turn overinformation are prohibited from disclosing the fact that the FBI hasdemanded the records. Documents released by the FBI show that theBureau has issued enough "Transactional Records NSLs" since October2001 to fill six pages of logs. It is not possible to determineexactly how many times the power has been employed because the actuallog entries are entirely blacked out.

In another FOIA development, the Defense Department has appealed adistrict court ruling that cleared the way for EPIC to receivedocuments concerning DoD's Total Information Awareness (TIA) project.
U.S. District Judge John Bates ruled on January 16 that EPIC isentitled to "preferred fee status" under the FOIA and ordered thePentagon to "expeditiously" process EPIC's almost year-old request forinformation concerning Admiral John Poindexter and the InformationAwareness Office (see EPIC Alert 10.01). While the Pentagon's appealof that ruling is not likely to prevent the release of materialconcerning the TIA program, the Defense Department appears to beseeking an appeals court determination that EPIC will not be entitledto preferred fee status in the future.

The legal memorandum challenging PATRIOT Act secrecy is available at:

Information on the EPIC/ACLU PATRIOT Act FOIA litigation, includingcopies of DOJ and FBI documents that have been released, is availableat:

The district court decision granting EPIC preferred FOIA fee status isavailable at:

[2] EPIC Testifies at European Parliament on Air Travel Privacy

On March 25, EPIC Policy Counsel CÚdric Laurant testified at a hearingon "Data Protection Since 11 September 2001: What Strategy forEurope?" The public seminar, organized by the European Parliament'sCommittee on Citizens' Freedoms and Rights, Justice and Home Affairs,
discussed emerging threats to data protection in both the private andthe public sectors in the European Union.

EPIC's testimony focused on the implications of new U.S. passengerprofiling schemes for the privacy interests of European travelers.
Laurant discussed several U.S. government projects that involve theprofiling of European airline passengers traveling to the UnitedStates and within Europe, including passenger profiling, TotalInformation Awareness, and the Advanced Passenger Information System.

Earlier, the European Commission brokered an arrangement to allow theDepartment of Homeland Security access to Passenger Name Records heldby European airlines. The European Parliament severely criticizedthis proposal and passed a resolution on March 13 stating that therewas no legal basis for the plan. The Parliament also warned that itwould open the door to "de facto 'data-mining.'"

EPIC informed the Parliament about efforts in the U.S. to stop thesesurveillance projects and urged the European Parliament to keep closewatch on the data-mining and profiling schemes as they move forward toensure that the legal rights of European citizens are not abridged.

Representatives of the European Commission, the European DataProtection Working Party, and other data protection experts alsoattended the event.

EPIC Statement for European Parliament Seminar:

European Parliament Hearing:

EPIC's Web page on Surveillance of European Air Travelers:

[3] Senate Wants Answers on Controversial Air Security System

The Senate Commerce Committee approved an amendment on March 13 thatwould begin to open the controversial Enhanced Computer AssistedPassenger Pre-Screening System (CAPPS-II) to Congressional scrutiny.
The Transportation Security Administration (TSA)'s proposed passengerprofiling system aims to conduct background risk assessments on allair travelers before they fly. In this year's budget request, theagency asked for an additional $45 million to support the developmentof the system. Another $30 million was appropriated for the system inthe FY 2003 budget.

The profiling system will rely on experimental data-mining technologyto sift through data from various commercial and government databases,
assigning different "risk scores" to passengers. Based on thesescores, passengers will either be denied boarding, subjected to a moreintrusive physical search, or passed through normal screening. InFebruary, TSA assigned a contract to Lockheed Martin to supply thesoftware. The commercial database providers have yet to beidentified.

TSA is testing CAPPS-II with Delta Airlines in three mid-size airportsthis spring and plans to implement the profiling system throughout thecountry by the summer of 2004. In January, the agency issued aPrivacy Act notice about the system. Many commenters (including EPIC)
argued that the notice violated the Privacy Act. Responding to thewave of criticism following the notice, the TSA is currentlyattempting to develop privacy and security safeguards for theprofiling scheme.

The Senate Committee's amendment would require TSA to produce awritten report on the impact of the profiling system on the privacyand civil liberties of United States citizens. The report, ifmandated by Congress, would specifically address six issues:

(1) What are the rules for data storage?
(2) How will the risk scoring be conducted?
(3) What is the role of third party vendors?
(4) What will be the safeguards against abuse?
(5) What are the procedures for correcting errors? and (6) What provisions are there for ongoing oversight to ensure compliance with privacy and civil liberties?

The amendment was included in S. 165, the Air Cargo Security Act,
which has been favorably reported out of the Committee and is pendingapproval from the Senate.

In a related effort, EPIC and a broad coalition of nationalorganizations wrote to the House Select Committee on Homeland Securityon March 25 urging it to stop the deployment of the CAPPS-II projectunless it can be shown to be both effective and consistent withprivacy and due process principles. The letter raises a host ofunanswered questions about the program. At a House hearing ondata-mining held on March 25, an official from the White House Officeof Management and Budget expressed serious reservations about theeffectiveness of the passenger profiling system and said that OMB isexamining the system very closely. He stated, "If we can't prove itlowers risk, it's not a good investment for government."

Senate Commerce Committee CAPPS Amendment:

Coalition letter on CAPPS II:

Mark Forman, OMB Associate Director for E-Government and InformationTechnology, testimony on data-mining:

EPIC's Passenger Profiling page:

[4] EPIC Launches FOIA Gallery; Issues Privacy Report on WHOIS

March 16 marked Freedom of Information Day, an occasion for those inthe information and education communities to inform the public aboutits right to access government information. In celebration of FOIDay, EPIC created an online FOIA Gallery to showcase documents weobtained through the Freedom of Information Act in the past year. TheWeb site provides scanned images and brief explanations of thesedocuments, including evidence of the misuse of the ForeignIntelligence Surveillance Act, video monitoring of politicalprotesters in Washington, DC, and the names and project titles of theorganizations receiving funding from John Poindexter for research onTotal Information Awareness.

EPIC has also authored a new online privacy report on domain nameregistration information. Current policies for the .COM/.ORG/.NETtop-level domains require the publication of a domain nameregistrant's personal information, such as mailing address, emailaddress, telephone number, and fax number. EPIC's WHOIS PrivacyIssues Report, released just as ICANN is considering new policies forWHOIS data, recommends that WHOIS policies follow the Organization forEconomic Cooperation and Development (OECD) Privacy Guidelines. TheOECD Privacy Guidelines reflect an international consensus on privacyprotection for trans-border dataflows that directly implicates WHOISpolicies and practices.

EPIC FOIA Gallery 2003:

EPIC's WHOIS Privacy Issues Report:

EPIC's new page on WHOIS and Privacy:

[5] Data Industry Initiates Anti-Privacy Credit Campaign

Data profiling companies have begun a misleading anti-privacy campaignwith the goal of preventing state legislators from passing strongprivacy laws. The data profiling companies are seeking extension offederal preemption in the Fair Credit Reporting Act (FCRA). Ifpreemption is extended or expanded, it will prevent states frompassing consumer-friendly privacy laws. It may also prevent statecourts from developing new protections for personal data, as the NewHampshire Supreme Court recently did in the Amy Boyer case (see EPICAlert 10.04).

The new campaign is just one part of a larger strategy to strip statesof their consumer protection authority. The data industry has alsolobbied Congress and the Department of Treasury to further itsefforts. This week, Sen. Tim Johnson (D-SD) introduced a bill toextend preemption.

State advocates have led the way in passing new identity theftprotections and limits on collection and use of personal data.
Pending legislation in California would expand those protections,
providing opt-in requirements before individuals' information iscommercially exploited. Recognizing this, the National Association ofAttorneys General passed a resolution in December 2002 opposingpreemption of state credit law. The Attorneys General emphasized thatfederal law traditionally creates a floor of protections that allowsstates to pass stronger laws and serve as "laboratories of democracy."

The anti-privacy industry group, calling itself the "Partnership toProtect Consumer Credit," includes members that would benefitsubstantially from weak federal privacy law. Members include FannieMae, the National Retail Federation, the Consumer Bankers Association,
the American Financial Services Association, Capital One, ConsumerData Industry Association, CitiGroup, Household International, JPMorgan Chase, MasterCard, MBNA, and Morgan Stanley-Discover FinancialServices. Several of these companies, most notably the large banks,
engage in extensive profiling with individuals' personal information;
Citibank and Chase Manhattan were both pursued by attorneys generalfor selling personal information to telemarketers in recent years.

National Association of Attorneys General Statement on FCRA Reform:

EPIC's Fair Credit Reporting Act Page:

FCRA: Congress Should Allow Preemption to Expire:

Text of S. 660, a bill to extend limitations on certain provisions ofState law under the Fair Credit Reporting Act:

[6] News in Brief

Eighth Circuit Upholds Junk Fax Law
The U.S. Court of Appeals for the 8th Circuit has upheld a law thatimposes fines upon businesses that send fax advertisements without theconsent of the recipient. The case, Missouri v. American Blast Fax,
involved a First Amendment "commercial speech" challenge to theTelephone Consumer Protection Act (TCPA) of 1991.

State of Missouri v. American Blast, No. 02-2705, March 21, 2003:

EPIC Urges Privacy Act Rules for Data-Miners
In comments submitted for a hearing before the House Government ReformSubcommittee on Information Policy, EPIC described risks to privacyand civil liberties posed by data-mining. Relying upon documentsobtained through the Freedom of Information Act, EPIC argued thatsince the government obtains volumes of personal information fromprivate-sector companies, Congress should extend the Privacy Act tocover commercial information brokers.

EPIC's comments are available at:

FBI Drops Accuracy Requirements from Criminal Records Database
The Department of Justice announced this week that it would no longercomply with the obligation under the 1974 Privacy Act to ensure thatinformation maintained in the country's largest criminal database isaccurate and timely. The National Crime Information Center providesover 80,000 law enforcement agencies with access to a computerizednetwork of more than 39 million records regarding criminal activity.

National Crime Information Center:

Groups Oppose Use of Tax Information For Marketing
EPIC and a coalition of consumer groups submitted a letter to theDepartment of the Treasury warning the agency that commercial taxpreparation companies participating in the IRS Free File program areusing confidential taxpayer information to market financial productsand services to individuals.

For more information, see the press release:

The letter is available at:

National Do-Not-Call Legislation Enacted
President Bush has signed the Do-Not-Call Implementation Act, clearingthe way for a federal system that will allow individuals to enroll ina registry to reduce the amount of telemarketing calls received. Thelegislation approves the Federal Trade Commission (FTC)'s plans tocollect fees from telemarketers in order to create the registry.
Telemarketers report that they have raised $1 million to defeat theregistry through lawsuits. Thus far, three lawsuits have been broughtin federal district courts in Oklahoma, Colorado, and Washington, DC.

Do-Not-Call Implementation Act (P.L. 108-10):

EPIC Telemarketing Page:

National Research Council Releases Report on Biometrics and Privacy
A new report from the National Research Council examines the privacyimplications of systems designed for authentication of identity. Thereport, titled "Who Goes There? Authentication Through the Lens ofPrivacy," looks at a variety of legal, policy, and technicalconsiderations and concludes that privacy standards should beestablished.

The report is available online at:

Report: Pre-9/11 Problems Not Caused by Lack of Surveillance Authority
Eleanor Hill, the staff director of the Joint Senate and House 9/11Inquiry Committee, said at an ABA Standing Committee on Law andNational Security meeting in Washington on March 18 that the pre-9/11problems with intelligence had nothing to do with civil liberties or alack of additional authorities to conduct surveillance. She said thegovernment had all the relevant information but failed to analyze andcombine the pieces of intelligence properly. Hill's inquiry reportcited the failure of the FBI and CIA in sharing critical informationon a number of the terrorist hijackers. She also said civil libertiesare integral to the traditions of the country.

US Senate Committee on Intelligence - Publications:

[7] EPIC Bookstore: The Naked Society

The Naked Society, by Vance Packard (Van Rees Press 1964 -- out ofprint).

In "The Naked Society," Vance Packard methodically identifies theprivacy-invading forces in our culture. Among these forces isurbanization, which breeds a fear of crime and an accompanyingtolerance of more aggressive police tactics. Growing Americanaffluence has led to more invasive marketing techniques.
Additionally, the advance of technology constantly changes boundariesand expectations. Packard disdainfully describes the resulting paradeof horribles, including personality tests, employee backgroundinvestigations, sneak and peek police searches, and commercial listbrokerage.

Much can be gained by visiting this work from the 1960s. One can seeparallels between past "scientific" belief in polygraph testing andthe modern-day superstition of predictive profiling. Packard alsoforeshadows the problems of collection of personal information, andhow this data could be employed for secondary, unforeseen purposes. Ifedited to recognize the quickened pace of access to personalinformation and the effects of aggregation, a re-publishing of "TheNaked Society" would be even more relevant today. Packard's centralwarning to society certainly remains true: that the rights of the mostupstanding citizens are only secure as long as we respect the autonomyof the most disreputable.

Packard closes his work with a call to begin restoring privacy byrespecting it in one's own home. In a world where children aremonitored by closed-circuit cameras and location-based devices,
Packard's advice is more important now than ever: "A child raised inan environment where his individuality is respected will have moreinner resources to draw upon when he becomes an adult."

- Chris Jay Hoofnagle

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

** Uniting Privacy and the First Amendment in the 21st Century **

May 9-10, 2003Oakland, CA
EPIC, the First Amendment Project, and the California Office ofPrivacy Protection are sponsoring this activist symposium designed toexplore the interplay between privacy and First Amendment rights, withthe goal of developing strategies for optimizing both.

If you are interested in making a presentation or leading a WorkingGroup, please submit a letter outlining your proposed presentation andincluding a brief explanation of the issue to be addressed, a list ofpossible presenters, and the desired outcome of the session to:

For more information:

Big Brother Technologies. A Choices and Challenges Forum. Center forInterdisciplinary Studies, Virginia Polytechnic Institute and StateUniversity. March 27, 2003. Blacksburg, VA. For more information:

Symposium on Security, Technology, and Individual Rights: theconvergence of our history, our ideals, and our innovative spirit.
Georgetown Journal of Law and Public Policy. March 27-28, 2003.
Washington, DC. For more information: <>

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information:

28th Annual AAAS Colloquium on Science and Technology Policy. AmericanAssociation for the Advancement of Science. April 10-11, 2003.
Washington, DC. For more information:

Integrating Government With New Technologies '03: E-Government, Changeand Information Democracy. Riley Information Services. April 11, 2003.
Ottawa, Canada. For more information:

RSA Conference 2003. RSA Security. April 13-17, 2003. San Francisco,
CA. For more information:

**POSTPONED UNTIL MID-JUNE.** Building the Information Commonwealth:
Information Technologies and Prospects for Development of CivilSociety Institutions in the Countries of the Commonwealth ofIndependent States. Interparliamentary Assembly of the Member Statesof the Commonwealth of Independent States (IPA). April 22-24, 2003.
St. Petersburg, Russia. For more information:

O'Reilly Emerging Technology Conference. April 22-25, 2003. SantaClara, CA. For more information:

Mid Canada Information Security Conference. Information ProtectionAssociation of Manitoba. April 30, 2003. Winnipeg, Manitoba, Canada.
For more information:

Little Sister 2003: Community Resistance, Security, Law andTechnology. May 9-11, 2003. Vancouver, British Columbia, Canada. Formore information:

2003 IEEE Symposium on Security and Privacy. IEEE Computer SocietyTechnical Committee on Security and Privacy, in cooperation with theInternational Association for Cryptologic Research (IACR). May 11-14,
2003. Oakland, CA. For more information:

Technologies for Protecting Personal Information. Federal TradeCommission. Workshop 1: The Consumer Experience. May 14, 2003.
Workshop 2: The Business Experience. June 4, 2003. Washington, DC. Formore information:

ITS-2003: Third International Conference on "Information Technologiesand Security." June 23-27, 2003. Partenit, Crimea, Ukraine. For moreinformation:

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. Formore information:

1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunkand Science Fiction. August 11-13, 2003. Prague, Czech Republic. Formore information:

Privacy2003. Technology Policy Group. September 30 - October 2, 2003.
Columbus, OH. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

** Receive a free Observing Surveillance conference poster withdonation of $75 or more! **

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.06


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback