WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2004 >> [2004] EPICAlert 11

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 11.11 [2004] EPICAlert 11


Volume 11.11 June 10, 2004

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Sues Agencies for Passenger Data Disclosure Info
[2] DHS and EU Council Reach Agreement on Airline Passenger Data
[3] House Committee Suspends US-VISIT Contract
[4] Business Coalition Seeks Change to Junk Fax Regulations
[5] ICANN Calls for Comments on WHOIS Process
[6] News in Brief
[7] EPIC Bookstore: Credit Scores & Credit Reports
[8] Upcoming Conferences and Events

[1] EPIC Sues Agencies for Passenger Data Disclosure Info

EPIC filed suit in federal district court yesterday seeking therelease of Transportation Security Administration and Department ofJustice records concerning the efforts of the agencies to collectairline passenger data from major commercial airlines. The lawsuitchallenges the agencies' failure and refusal to expedite theprocessing of EPIC's Freedom of Information Act (FOIA) requests forthe material.

The suit stems from four FOIA requests asking the agencies forinformation about their roles in acquiring passenger data from JetBlueAirways, Northwest Airlines, American Airlines and others. In thepast eight months, EPIC has submitted three requests to theTransportation Security Administration for information about its rolein JetBlue's disclosure of passenger data to a defense contractor andAmerican's disclosure of passenger data to Transportation SecurityAdministration contractors. The agency has granted expeditedprocessing for all of the requests, but has failed to release theinformation within twenty days, as required by law.

Further, EPIC submitted a FOIA request to the FBI last month askingfor information about its collection of a year's worth of passengerinformation from numerous airlines after 9/11, and requested expeditedprocessing as provided under the FOIA and Department of Justiceregulations. The Bureau refused to expedite on the grounds that "theprimary activity of EPIC does not appear to be informationdissemination," despite the fact that two federal judges havedetermined otherwise. The FBI also justified its denial by statingthat EPIC had not "demonstrated any particular urgency to inform thepubic about the subject matter of [its] request beyond the public'sright to know generally."

EPIC is seeking a preliminary injunction requiring the Department ofJustice, the FBI's parent agency, to process EPIC's request andrelease the documents as soon as possible. In support of itsentitlement to expedited processing, EPIC noted substantial mediainterest in the FBI's acquisition of passenger information and pointedout that Congress has shown increasing concern about governmentcollection of such data. EPIC also noted that other agencies havegranted expedited processing for similar requests, acknowledging thatthis is a matter about which there is an urgency to inform the public.

EPIC's complaint is available at:

EPIC's motion for a preliminary injunction is available at:

For more information about passenger data disclosures, see EPIC'sNorthwest Disclosure Page:

[2] DHS and EU Council Reach Agreement on Airline Passenger Data

On May 28, United States and European Union officials signed anagreement providing for a legal framework to govern the disclosure ofEuropean airline passenger data to the Department of HomelandSecurity's Bureau of Customs and Border Protection.

The bilateral agreement centers on the Customs Bureau's use ofpassenger name record (PNR) data from airline reservation systems.
Thirty-four data fields have been specified for disclosure to the U.S.
government, including name, dates of travel, phone numbers, emails,
credit card numbers, car rental information, hotel reservationdetails, and contact persons in the U.S., with data to be kept for notmore than three and a half years. The agreement restricts use of thedata to combating terrorism and "other serious crimes" that aretransnational in nature. The data may also be used to test theTransportation Security Administration's controversial secondgeneration Computer Assisted Passenger Prescreening System (CAPPS II)
once the system is authorized to test using domestic data. TheCustoms Bureau also promises certain privacy protections, includingrestrictions on use of the data by other U.S. agencies.

The agreement is the result of more than a year and a half ofnegotiations between the EU and the U.S. Since March 2003, EUairlines have provided PNR data to the Customs Bureau to comply withU.S. regulations. However, these data transfers likely violateEuropean data protection laws, mainly because they do not providepassengers with a judicially enforceable right to access theirpersonal data and do not ensure truly independent redress,
compensation and appeal mechanisms in case of governmental abuse andinfringement of passengers' rights. EU member states had agreed notto enforce their national laws pending an adequacy finding by theEuropean Commission that personal data transferred to the CustomsBureau would receive sufficient protection. One main purpose of thenew agreement was to resolve this conflict.

European Commission officials defend the agreement, arguing that itformalizes privacy protections for PNR data and reflects negotiatedconcessions limiting the scope and use of such information. Theycontend that the alternative would have included fewer concessions todata use and greater legal and practical uncertainty about the ongoingdata transfers.

However, the European Parliament, Article 29 Data Protection WorkingParty, data protection authorities around the world and privacyexperts have expressed deep reservations about the agreement and itseffects on Europeans' privacy rights, voting against its approval eventhough the European Commission considered such disapproval not bindingin this case. The European Court of Justice could still invalidatethe agreement if requested by the Parliament to review thecompatibility of the agreement with the Treaty of the EU and todetermine whether the Parliament should have had veto power.

The European Commission's adequacy decision, including the U.S.
government's Undertakings and the list of 34 PNR data fields to bedisclosed to U.S. authorities:

The decision of the Council of the European Union to conclude anagreement with the Department of Homeland Security:

The European Parliament's resolution disapproving the agreement:

For more information about passenger data sharing, see EPIC's EU-U.S.
Airline Passenger Data Disclosure page:

[3] House Committee Suspends US-VISIT Contract

The House Appropriations Committee has moved to suspend the Departmentof Homeland Security's contract with Accenture, a non-U.S. basedcorporation, for development of the United States Visitor andImmigrant Status Indicator Technology (US-VISIT). The Department lastweek awarded the company a contract worth up to $10 billion for theexpansion of the controversial border security program, which usesphotographs and biometrics to track foreign visitors to, from andwithin the U.S.

US-VISIT has already processed more than four million people at thecountry's busiest air and sea ports, and Department of HomelandSecurity officials claim to have apprehended over 500 suspectedcriminals and illegal aliens through the program. US-VISIT has yet toassist in the apprehension of a single suspected or known terrorist.

The bid process for the US-VISIT contract was deemed unusual becausethe government left it to bidders to envision an ideal process fortracking visitors traveling to and from the U.S. Accenture's proposalentailed the creation of "virtual folders" for each visitor that wouldstore visa application information, biometric information, entry andexit dates, and the purpose of the visit. Additional informationwould be included for student visa holders. Acknowledging thatUS-VISIT enables the unprecedented integration and sharing ofindividual information among various agency databases, Accenture alsocreated a position for a chief privacy officer.

Indeed, privacy threats posed by the program remain paramount. InFebruary, EPIC urged the Department of Homeland Security to define howPrivacy Act obligations affect the program, to consider thesignificance of international privacy standards in the collection anduse of personal information on non-U.S. citizens, and to prohibit theexpansion of US-VISIT uses beyond the program's defined mission.
These issues remain unresolved.

Department of Homeland Security press release on the US-VISITcontract:

EPIC comments on US-VISIT:

For more information about US-VISIT, see EPIC's US-VISIT Page:

[4] Business Coalition Seeks Change to Junk Fax Regulations

A massive coalition of business groups is attempting to passlegislation that would weaken protections against unsolicitedcommercial faxes, also known as "junk faxes." Since the passage ofthe Telephone Consumer Protection Act of 1991 (TCPA), it has beenillegal to send a junk fax without obtaining prior affirmative consentfrom the recipient. Nevertheless, some junk fax "broadcasters" andothers continue to send the messages, transferring the cost of paperand ink to the recipient.

As a result of continuing problems with fax broadcasters, and inparticular, the Federal Communications Commission tightenedrestrictions on junk faxes last year. The regulations, which do nottake effect until 2005, require junk faxers to obtain written consentfrom recipients prior to sending the messages. Having writtenevidence of consent is important in enforcement of the regulation, asjunk faxers frequently defend their activities by claiming that therecipient opted in to the transmission. Without written consent, thedispute can dissolve into a "he said, she said" situation where thejunk faxer will claim that a former owner of the phone number, afamily member, or someone else with access to the number providedconsent to the unwanted transmissions.

The Commission also modified the "existing business relationship"
exemption, limiting the time that solicitations could be sent toeighteen months after a purchase or transaction, and three monthsafter a customer makes an inquiry to a business. This limit in timeis necessary, as some junk faxers send new messages every day, and theold rule would allow them to continue to do so for perpetuity.

The business groups are attempting to eliminate both the requirementfor written consent and the time limits associated with the existingbusiness relationship exemption. The bill may also contain provisionsallowing non-profit organizations to send junk faxes, and some arelobbying to remove the private right of action and damages provisionsfrom the TCPA. A hearing on the issue will be held Tuesday in theHouse Energy and Commerce Committee, where legislation effecting thebusiness group's desires has support from both parties.

Hearing on junk faxes:

For more information about junk faxes, see EPIC's Telemarketing Page:

[5] ICANN Calls for Comments on WHOIS Process

The Internet Corporation for Assigned Names and Numbers (ICANN) hasrequested public comment on access, data, and accuracy in the WHOISprocess. The WHOIS database is a public directory of domainregistrant data available and searchable online. Currently,
registrants must enter information as personal as name, address,
telephone number, and e-mail address in addition to technical contactinformation, all of which can be found on the public WHOIS database.

Last year ICANN established three task forces to develop policy forthe WHOIS database. The task forces' preliminary reports, which focuson access, data, and accuracy, were recently released to the public.
ICANN now requests public comments on each of the reports. Thecomment period lasts only from May 28 to June 17, 2004.

The Non-Commercial Users Constituency of ICANN strongly encourages thegeneral public, NGOs, non-commercial communities and interestedparties to submit comments on each report. The outcome of the WHOISPolicy Development Process will have a significant impact on privacy,
civil liberties, and freedom of expression for Internet users. TheWHOIS database broadly exposes domain registrants' personal data to aglobal audience, including criminals and spammers.

The Non-Commercial Users Constituency has urged ICANN to limit the useand scope of the WHOIS database to its original purpose, which is theresolution of technical network issues, and to establish strongprivacy protections based on internationally accepted privacystandards. This limitation would entail restricting access to thedata, minimizing data required, and not penalizing registrants forprotecting their personal information by entering an inaccurate homeaddress or telephone number.

The Public Voice web site provides detailed information on WHOISpolicy development and the comment process. For each of the threetask forces, there are links to the preliminary report and the e-mailaddress for comment submission. There are also position statements bythe Non-Commercial Users Constituency, which may be useful in helpingto understand the key issues.

For more information about WHOIS policy development, see The PublicVoice web site:

View the task forces' preliminary reports at:

Submit comments on the preliminary reports at:

[6] News in Brief

California Attorney General Bill Lockyer has acknowledged a lettersent by EPIC, Privacy Rights Clearinghouse, and the World PrivacyForum alleging that Google's e-mail scanning Gmail service violatesCalifornia's strict wiretapping laws. Lockyer wrote: "The potentialexposure of Gmail users to liability for violation of Penal Codesection 631 is of particular concern, as are the rights of those whoare not subscribers to Gmail but who send e-mail to those who are."
Lockyer advised that his office will continue to analyze Gmail andthat "I understand your position and share many of your concerns."

Attorney General Lockyer acknowledgement:

Letter to Attorney General Lockyer concerning Gmail:

A federal court recently threw out the government's case againstBrandon Mayfield, an American lawyer in Oregon who had been linked byfingerprint identification to the deadly train bombings Madrid, Spain,
in March. The court said the FBI had misidentified fingerprints foundon a bag of detonators near the train station in Madrid as belongingto Mayfield, though Spanish polive have subsequently matched theprints to an Algerian fugitive. Mayfield was arrested on May 6 as amaterial witness in the bombings and detained for two weeks. Soonafter the court dismissed the case, the FBI offered a rare apology formistakenly identifying him in connection with the terrorist attack.
The error seems to have come initially from the FBI's supercomputerfor matching fingerprints and then from the FBI's own analysts. A37-year-old convert to Islam, Mayfield sharply criticized thegovernment, saying he was targeted because of his faith and callinghis time behind bars "humiliating" and "embarrassing."

For information about inaccuracies in the FBI's criminal justicedatabase, see EPIC's Joint Letter to Require Accuracy for the NationalCrime Information Center:

The FBI has served seven artists with subpoenas under the USA PATRIOTAct to appear before a federal grand jury on June 15, 2004. The juryis expected to consider bioterrorism charges against Steven Kurtz, anart professor at the University of Buffalo. Kurtz and two othersubpoenaed artists are members of the artists' collective known asCritical Art Ensemble. The collective has used scientific equipmentsince 1987 to produce art projects related to biotechnology. Kurtz's2002 exhibit entitled "Molecular Invasion" was a statement againstgenetically modified crops.

According to the subpoenas, the FBI is seeking charges under Section175 of the US Biological Weapons Anti-Terrorism Act of 1989, which hasbeen expanded by Section 817 of the USA PATRIOT Act. As modified,
this law prohibits the possession of "any biological agent, toxin, ordelivery system of a type or in a quantity that, under thecircumstances, is not reasonably justified by a prophylactic,
protective, bona fide research, or other peaceful purpose."

Critical Art Ensemble Defense Fund:

For more information about The USA PATRIOT Act, see EPIC's USA PATRIOTAct Page:

The California Public Utility Commission last week adopted a"Telecommunications Bill of Rights," a set of regulations underdevelopment for over three years. Wireless customers benefit from thenew rules, which include mandatory notice about rate increases andInternet posting of current tariffs. Previous versions of the rulesdrafted under the former Public Utility Commissioner required wirelessproviders to obtain express consent, or "opt-in" consent, before usingor selling Customer Proprietary Network Information (CPNI) data aboutcalls made and received. The ruling states that such privacy ruleswill be revisited but provides no time frame. The wireless telephoneindustry is expected to vigorously oppose implementation of the newregulations.

The ruling is available at:

For more information about Customer Proprietary Network Information,
see EPIC's CPNI Page:

A May 2004 General Accounting Office report surveying anunrepresentative sample of thirteen colleges and universities acrossthe nation has concluded that most schools feel they are up to thetask of combatting copyright piracy on their computer networks. Allschools surveyed indicated that they have suffered negative effects ofpeer-to-peer piracy ranging from network shutdowns to expendingadditional funds on system management. In response to these problems,
the institutions have taken various steps such as conducting awarenessprograms, limiting file downloads, and warning or banning infringingnetwork users. While the report presents no concrete data on howeffective these approaches are in reducing piracy, it does note thatthe institutions surveyed have some confidence in the efficacy oftheir countersteps.

But many of the solutions the universities have placed theirconfidence in raise privacy concerns. Measures such as sanctioningusers of certain file-sharing applications necessarily involveindividual identification of network users. All of the surveyeduniversities indicated that they have this ability and had used it inthe academic year preceding the study (2002-2003). Five universitiesindicated that they could always track down an individual user accusedof copyright violation, while seven stated that individualidentifications could be made most of the time. Future stepped-upanti-piracy measures might increase the incidence of such individualidentifications. This is especially troubling if there are nosafeguards to protect the privacy of network users, essentiallyopening them up to the discovery of who is listening to, or watching,
what, long before it is legally established that they have violated acopyright.

The report is available at:

[7] EPIC Bookstore: Credit Scores & Credit Reports

Credit Scores & Credit Reports: How The System Really Works, What YouCan Do, by Evan Hendricks (2004).

Evan Hendricks, Fair Credit Reporting Act expert and veteran editor ofthe Privacy Times newsletter, has published an authoritative andapproachable guide to credit scores and credit reporting. He arguesthat "the worse your credit score, the more you pay for mortgages,
loans, credit cards, and insurance. Conversely, the better yourcredit score, the more favorable terms you will get on interest ratesand premiums." Thus, it is increasingly important that individualsunderstand their credit scores and the reports from which they arederived. Hendricks explains in detail how the score is computed, thefactors involved, and specific actions that affect the score.

Hendricks' book gives an excellent overview of a range of existing andemerging credit reporting issues, including account review, the"reinvestigation" process, how to dispute errors on the report, theproblem of mixed files, identity theft, how to protect your privacy byopting out of prescreening, the potential for credit scoring having adisparate and unjustified impact against minorities and the poor, andthe increasing use of credit scores in automobile insurance. If youadvise clients on credit issues or are attempting to rebuild yourcredit, Hendricks' book should be on your shelf -- right next to yoursubscription to Privacy Times.

-Chris Jay Hoofnagle

EPIC Publications:

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2003: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty-five countries around the world. The surveyexamines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

TRUSTe Symposium: Privacy Futures. June 9-11, 2004. InternationalAssociation of Privacy Professionals. San Francisco, CA. For moreinformation:

The Policy Implications of Open Source Software. Forum on Technology& Innovation. June 10, 2004. Washington, DC. For more information:

Access & Privacy Conference 2004: Sorting It Out. Government Studies,
Faculty of Extension. June 10-11, 2004. University of Alberta.
Edmonton, Alberta, Canada. For more information:

13th Annual CTCNet Conference: Building Connected Communities: ThePower of People & Technology. June 11-13, 2004. Seattle, WA. Formore information:

Homeland Security and Civil Liberties. The United States Army WarCollege with the University of Pennsylvania School of Law. June 18,
2004. Philadelphia, PA. For more information:

Knowledge Held Hostage? Scholarly Versus Corporate Rights in theDigital Age. Annenberg Public Policy Center and Rice University inassociation with Public Knowledge and the Center for Public Domain.
June 18, 2004. Philadelphia, PA. For more information:

Fifth Annual Institute on Privacy Law: New Developments & ComplianceIssues in a Security-Conscious World. Practising Law Institute. June21-22, 2004. New York, NY. For more information:

Managing the Privacy Revolution 2004: New Challenges, New Strategies,
New Dangers. Privacy & American Business. June 22-24, 2003.
Washington, DC. E-mail info at

ITU WSIS Thematic Meeting on Countering Spam. InternationalTelecommunication Union and the World Summit on the InformationSociety. July 7-9, 2004. Geneva, Switzerland. For more information:

PORTIA Workshop on Sensitive Data in Medical, Financial, andContent-Distribution Systems. PORTIA Project. July 8-9, 2004.
Stanford, CA. For more information:

O'Reilly Open Source Convention. July 26-30, 2004. Portland, OR.
For more information:

First Conference on Email and Anti-Spam. American Association forArtificial Intelligence and IEEE Technical Committee on Security andPrivacy. July 30-31, 2004. Mountain View, CA. For more information:

Crypto 2004: The Twenty-Fourth Annual IACR Crypto Conference.
International Association for Cryptologic Research, IEEE ComputerSociety Technical Committee on Security and Privacy, and the ComputerScience Department of the University of California, Santa Barbara.
Santa Barbara, CA. August 15-19, 2004. For more information:

The Right to Personal Data Protection -- the Right to Dignity. 26thInternational Conference on Data Protection and Privacy Commissioners.
September 14-16, 2004. Wroclaw, Poland. For more information:

2004 Telecommunications Policy Research Conference. National Centerfor Technology & Law, George Mason University School of Law. October1-3, 2004. Arlington, VA. For more information:

Privacy and Security: Seeking the Middle Path. Office of theInformation & Privacy Commissioner of Ontario; Centre for InnovationLaw and Policy, University of Toronto; and Center for AppliedCryptographic Research, University of Waterloo. Toronto, Ontario,
Canada. October 28-29, 2004. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 11.11


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback