WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2004 >> [2004] EPICAlert 13

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 11.13 [2004] EPICAlert 13


Volume 11.13 July 12, 2004

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Supreme Court Upholds Block on Web Censorship Law
[2] EPIC Calls for Suspension of Registered Traveler Program
[3] Federal Court OKs Service Provider E-mail Interception
[4] Judge Upholds Country's Strongest State Financial Privacy Law
[5] Voter Identification Bills Introduced in Congress
[6] News in Brief
[7] EPIC Bookstore: Jennifer Government
[8] Upcoming Conferences and Events

[1] Supreme Court Upholds Block on Web Censorship Law

The Supreme Court recently upheld in Ashcroft v. ACLU a lower court'sinjunction against enforcement of the Child Online Protection Act(COPA). COPA, passed by Congress in 1998, is a broad censorship lawthat restricts Internet speech and imposes penalties of up to $50,000and six months in prison for posting, for commercial purposes, contentthat is "harmful to minors." In a 5-4 decision, the Court upheld theinjunction on the basis that the government failed to rebut theargument that software filtering is a plausible, less-restrictivealternative to COPA's content-based regulation of Internet speech.

Congress passed COPA in 1998 after the Supreme Court's 1997 ruling inReno v. ACLU that the law's predecessor, the Communications DecencyAct, was unconstitutional. EPIC joined with the ACLU to serve asplaintiff and co-counsel in the constitutional challenges to bothlaws.

The Supreme Court's majority opinion, written by Justice Kennedy andjoined by Justices Stevens, Souter, Thomas, and Ginsburg, held that"there is a potential for extraordinary harm and a serious chill uponprotected speech" if the law goes into effect. The Court found thatfiltering software is likely a less restrictive means to regulateminors' access to harmful material because "filters impose selectiverestrictions on speech at the receiving end, not universalrestrictions at the source." The Court also found that promotingfilters is less damaging to First Amendment principles because COPAcondemns as criminal entire categories of speech. Justice Kennedyalso noted that COPA fails to effectively serve the government'sinterest in protecting children because the law does not preventchildren from seeing inappropriate material originating outside theUnited States.

In his dissenting opinion, Justice Breyer contended that the Court waswrong to conclude that Congress could have accomplished its goal ofprotecting children from Internet pornography in less restrictiveways. Breyer argued that the monetary and social costs of COPA'sidentification requirement impose only "a modest additional burden" onadult access to Internet content.

The case has been remanded to the lower court for further proceedings.

The opinion in Ashcroft v. ACLU is available at:

EPIC's testimony concerning the privacy implications of COPA'sidentification requirement:

For more information about the case, see EPIC's COPA Litigation Page:

[2] EPIC Calls for Suspension of Registered Traveler Program

In formal comments to the Transportation Security Administration(TSA), EPIC has urged the agency not to deploy the final phase of theRegistered Traveler program until it conducts a full evaluation of theprogram's privacy implications. EPIC argued that the agency shouldrevise its information collection and maintenance practices to complyfully with the intent of the Privacy Act.

EPIC made its recommendation in response to the agency's publicationof a notice describing its plans to launch the pilot phase ofRegistered Traveler. The program asks individuals to volunteer toundergo invasive background checks and provide biometric informationin exchange for the assurance that they will not be subjected torandom secondary screening at airports.

EPIC's comments noted the agency's record of secrecy and little regardfor individual privacy interests in the development of other programs,
pointing out that the agency has disclosed little information aboutthe controversial second generation Computer Assisted PassengerPrescreening System (CAPPS II) in response to EPIC's repeated Freedomof Information Act requests and has also exempted the system from keyPrivacy Act provisions.

EPIC noted that TSA has unnecessarily exempted Registered Travelerfrom crucial safeguards intended to promote record accuracy and securethe privacy of individuals whose information is maintained within thesystem. EPIC's comments addressed TSA's failure to provideindividuals with meaningful access to personal information andmeaningful opportunities to correct inaccurate, irrelevant, untimelyand incomplete information. EPIC also noted Registered Traveler'sexemption from the requirement that a system maintain only informationthat is "relevant and necessary" to perform the system's function, andasserted that TSA's broadly drawn "routine uses" of RegisteredTraveler data would only heighten the system's privacy problems.

The Transportation Security Administration's notice on RegisteredTraveler is available at:
EPIC's comments are available at:

More information about CAPPS II and passenger profiling is availableat EPIC's Passenger Profiling Page:

[3] Federal Court OKs Service Provider E-mail Interception

The U.S. Court of Appeals for the First Circuit has ruled that acompany did not violate federal wiretap law when it used the e-mailservice it provided to its subscribers to access their e-mail so itcould review messages sent to them by a rival company. The issue inUnited States v. Councilman was whether an "intercept" of acommunication occurred within the meaning of the Wiretap Act. In a2-1 ruling, the court held that electronic communications are not"intercepted" if the communication is accessed while it is intemporary storage.

This case involved the conduct of Interloc, an online literaryclearinghouse that sought to pair its subscribers -- rare and usedbook dealers -- with book buyers. Bradford C. Councilman, formerexecutive of the company, directed Interloc employees to writecomputer code to intercept and copy all incoming communications to the subscriber book dealers, whom had been providede-mail service by Interloc. According to the indictment, the Interlocsystems administrator wrote a revision to the mail processing codedesigned to intercept, copy, and store all incoming messages before they were delivered to the subscribers, andtherefore, before the e-mail was read by the intended recipient.
Councilman was charged with using the code to intercept thousands ofmessages. Councilman and other Interloc employees routinely read thee-mails sent to Interloc subscribers seeking to gain a commercialadvantage.

The law at issue in this case involved the 1986 amendments to federalwiretap law. Prior to the amendments, only wire and oralcommunications were protected from interception under the Wiretap Act.
The amendments extended protections against interception to electroniccommunications, and also sought to establish legal standards foraccess to email in the possession of a service provider. The changescreated two categories of electronic communications -- those "intransit," which enjoy relatively generous protection under the law,
and those "in storage," which receive a lesser degree of legalprotection. The categories that resulted from the amendments wereviewed as complimentary efforts to protect the privacy of electroniccommunications. The "tiering" of communications resulted more fromthe effort to address specific concerns -- such as extendingprotections to electronic communications and creating safeguards forstored communications -- than to formally categorize the privacyprotection for each type of information. Thus, it is unlikely thatthe Congress that passed the 1986 amendments believed that an ISPshould be able to routinely review the contents of subscriber email.

The Court, however, determined that the plain language of the lawshowed that Congress did not intend for the law's interceptionprovisions to apply to electronic communications in electronicstorage. The Court also found that when the company obtained thee-mails, the messages were in temporary storage in a computer system.
The Court noted that the parties had stipulated that the e-mails werenot affected while they were transmitted through wires or cablesbetween computers. In light of these findings, the Court determinedthat the e-mails were not in transit and subject to interception, butwere instead stored communications. Because no "intercept" occurred,
the Court held that the Wiretap Act could not have been violated. Indissent, Judge Kermit V. Lipez warned that this interpretation of theWiretap Act "would undo decades of practice and precedent regardingthe scope of the Wiretap Act and would essentially render the actirrelevant to the protection of wire and electronic privacy."

The opinion in United States v. Councilman is available at:
For more information about electronic surveillance, see EPIC'sWiretapping Page:

[4] Judge Upholds Country's Strongest State Financial Privacy Law

A federal district judge in Sacramento, California has upheld thestate's financial privacy law, SB1, against a challenge brought byfinancial services trade groups. The groups were unsuccessful inarguing that the law, known as the California Financial InformationPrivacy Act, was preempted by the federal Fair Credit Reporting Act(FCRA). SB1 is the strongest financial privacy law in the nation. Itallows individuals to opt out of affiliate information sharing, andrequires opt-in consent before financial services institutions sellpersonal data to third parties (see EPIC Alert 10.17.)

SB1 was signed by former Governor Gray Davis after a four-yearlegislative battle. It became law only after major financial servicescompanies, some of which have hundreds or even thousands ofaffiliates, dropped their opposition to the legislation. However,
those companies later attempted to eliminate SB1's protections bypreempting the law at the federal level in passing amendments to theFCRA.

In holding that SB1 was not preempted by federal law, the Courtreasoned that the FCRA does not trump all state laws regulatinginformation sharing by affiliates. Rather, the FCRA pertains only tothe sharing of consumer reports among affiliates; that is, informationthat is used for an enumerated purpose of the FCRA, such as creditgranting.

The court found that the Gramm-Leach-Bliley Act was the controllinglaw for the regulation of affiliate information sharing. That law, asa result of the "Sarbanes Amendment," preserves the right of states topass more stringent protections for personal information that isexploited by financial services companies.

California's SB1 took effect on July 1, and contains substantialmonetary penalties for violation. It appears as though the financialservices industry did not take steps to comply with the law, and as aresult, is likely to pursue an injunction to delay implementation ofthe law and an expedited appeal.

The opinion in ABA v. Lockyer is available at:

SB 1, the California Financial Information Privacy Act:

EPIC Financial Privacy Resources:

[5] Voter Identification Bills Introduced in Congress

Two bills introduced in this session of Congress would place moreidentification requirements on those seeking to register to vote. Rep.
Phil Gringrey (R-GA) has introduced H.R. 4174, a bill that wouldrequire individuals to provide proof of United States citizenship as acondition of registering to vote. Rep. Henry Hyde (R-IL) hasintroduced H.R. 4530, a bill that would require any person registeringor reregistering to vote to provide proof of citizenship. H.R. 4530directs states not to provide a ballot to any individual unless heshows proof of citizenship. The states are to determine whichdocuments will be acceptable proof of citizenship under the advisementof the Election Assistance Commission, Secretary of Homeland Security,
and Secretary of State. The two bills have a total of eightco-sponsors between them, with two members' names appearing on bothbills.

A trade-off in privacy exists in the legal requirement of voterregistration to participate in publicly held elections. Voterregistration began its trek into common practice in the late 1890s,
when it was championed as a means of discouraging repeat voting andthe importation of voters from other jurisdictions to cast votes inlocal and some state elections. Each state is responsible foradministering voter registration within its boundaries. Today, voterregistration forms may include requests for name, current and previousaddress, home and work telephone numbers, birthplace, Social Securitynumber, birth date, race, gender, and party affiliation.

The Help America Vote Act, which became law in October 2002, requiresvoter registrants to submit proof of identity by providing a stateissued identity document or the last four digits of their SocialSecurity number. Since 1997, non-citizens may be deported for votingin local, state, or federal elections.

HAVA also establishes a computerized statewide voter registration listrequirement. Each state's election officer is directed to create auniform centralized interactive computerized statewide voterregistration list. The list is to be defined, maintained, andadministered at the state level and contains information for everylegally registered voter in each state. Under this system, the lawdirects that a "unique identifier" is to be assigned to each legallyregistered voter in a state. Further, the law directs that the listshould be coordinated with other agency databases within the state.
The system must be designed to allow any election official in thestate, including local election officials, to obtain immediateelectronic access to the information contained in the voterregistration database. The system must also allow unlimited access toany local election official to the computerized list. This list willserve as the official index of registered voters for any federal orstate election.

The law does require that the appropriate state or local officialshall provide adequate technological security measures to preventunauthorized access to the computerized list.

H.R. 4174:

H.R. 4530:

The Help America Vote Act is available at:
National Committee for Voting Integrity:

For more information about voter privacy, see EPIC's Voting Page:

[6] News in Brief

The Federal Trade Commission has charged Gateway Learning Corp., makerof Hooked on Phonics products, with violating federal law by rentingout personally identifiable consumer information collected through itsweb site to direct marketers in violation of the company's privacypolicy. The company had changed its privacy policy to allow sale ofpersonal information, and attempted to apply the new policyretroactively without first obtaining customers' consent for dataexploitation. The Commission noted that the disclosure includedinformation provided directly to the company by consumers who boughtHooked on Phonics, including names, addresses, phone numbers, and ageranges and gender of the consumers' children.

To settle the Commission's claims, Gateway has agreed not to makedeceptive claims about how it will use consumer information in thefuture, promised not to make material changes to its privacy policyretroactively without obtaining consumers' consent, and forfeited the$4,608 it earned from leasing the consumer information.

Federal Trade Commission press release:

In the Matter of Gateway Learning Corp.:

In a follow-up letter to testimony on enhancing Social Security number(SSN) privacy, EPIC and U.S. PIRG detailed the role that the SSN playsin identity theft. EPIC and U.S. PIRG explained to the House Ways andMeans Subcommittee on Social Security that widespread business andgovernment use of the SSN contributes to identity theft. The letterhighlighted bad privacy practices, including the general use of theSSN as both an identifier and an authenticator, and sloppy creditgranting practices where creditors facilitate identity theft byopening new accounts in victim's names. The letter also argued thatprivate investigators and others who have access to SSN databasesshould be subject to the full privacy responsibilities established bythe Fair Credit Reporting Act.

EPIC's Letter on SSN and Identity Theft:

EPIC Testimony on SSN Privacy:

For more information about the role of Social Security Numbers inidentity theft, see EPIC's SSN Privacy Page:

European Parliament President Pat Cox has announced his decision toask the European Union Court of Justice to annul the Council ofEurope's agreement between the European Community and the UnitedStates, allowing for transfer of Passenger Name Record (PNR) data onEU citizens to the U.S. Department of Homeland Security Bureau ofCustoms and Border Protection. Cox will also appeal the EuropeanCouncil's finding that the Bureau ensures adequate protection oftransferred PNR data, satisfying the EU's Data Protection Directive(EU Directive 95/46/EC). Mr. Cox said the request "reflects theconcern felt by a large majority in the European Parliament on theneed to defend European citizens' fundamental rights and freedoms ...
[B]oth the EU and the U.S. must guard against a new form of creepingextra-territoriality."

EU Commission's Decision on Adequacy:
EU-U.S. Agreement:

U.S.'s Undertakings:

For more information on the PNR transfer, see EPIC's Page on EU-U.S.
Airline Passenger Data Disclosure:

The House Energy and Commerce Committee has voted 45-4 in favor of ananti-spyware bill, setting the stage for its consideration by the fullHouse. The bill, termed the SPY ACT (Securely Protect YourselfAgainst Cyber Trespass Act), was passed after several changes weremade to the original draft sent up by the House Subcommittee onCommerce, Trade, and Consumer Protection.

The original draft of the bill prohibited deceptive practices relatedto spyware such as hijacking a computer's functions, changinghomepages without authorization, and surreptitious keystroke logging.
It also regulated "information collection programs" by mandatingexpress consent before installation, the provision of an uncomplicateddisabling function, and the disclosure of the type and purpose ofcollected information. The Federal Trade Commission was charged withenforcement and authorized to levy fines as large as $3 million forcertain violations. Recent changes to the bill effectively exemptsoftware located on servers from SPY ACT regulation, while alsoproviding an explicit exemption for monitoring software used bynetwork providers for security and anti-fraud purposes. The changesalso allow bundled multiple information collection programs to seekuser approval via a single notice, and water down the definition ofwhen there is a change in collected information for which new usernotice and consent will be required. The bill's sunset date has alsobeen extended by a year to December 31, 2009.

The current version of H.R. 2929 is available at:

The National Committee on Voting Integrity, established to promotevoter-verified balloting and to preserve privacy protections forelections in the United States, recently launched its web site, The web site provides news about importantdevelopments in voting practice and the Committee's continuingactivities, as well as an archive of letters, hearing testimony andother public Committee statements. The web archive includes theCommittee's recent written testimony to the U.S. Election AssistanceCommission hearing to review the use, security, and reliability ofelectronic voting systems, and its letter congratulating CommissionChairman Soaries for his "bold and decisive call for electronic votingcompanies to make the underlying software code of electronic votingtechnology available to election administrators." In addition, the website provides a valuable resource for researchers to familiarizethemselves with the key issues related to verifiable, private,
democratic elections. Coverage includes direct record electronicvoting machines, the Help America Vote Act, and centralized voterregistration databases.

Visit the National Committee on Voting Integrity web site at:

The Anonymity Project has launched a web site that provides adescription of research areas, interviews with project members, andother project information. Although the project iscross-disciplinary, it is based at the University of Ottawa, Facultyof Law. EPIC is a collaborator. The project consists of three broadresearch streams -- the nature and value of identity, anonymity andauthentication; the constitutional and legal aspects of anonymity; andtechnologies that identify, anonymize and authenticate. Researchresults will be made publicly available on the web site.

Visit "On the Identity Trail: Understanding the Importance ofAnonymity and Authentication in a Networked Society" at:

[7] EPIC Bookstore: Jennifer Government

Max Berry, Jennifer Government (Vintage 2004).

"In Max Barry's twisted, hilarious vision of the near future, theworld is run by giant American corporations (except for a few deludedholdouts like the French); taxes are illegal; employees take the lastnames of the companies they work for; The Police and The NRA arepublicly-traded security firms; the U.S. government may onlyinvestigate crimes if they can bill a citizen directly. It's a freemarket paradise!

"Hack Nike is a lowly Merchandising Officer who's not very good atnegotiating his salary. So when John Nike and John Nike, executivesfrom the promised land of Marketing, offer him a contract, he signswithout reading it. Unfortunately, Hack's new contract involvesshooting teenagers to build up street cred for Nike's new line of$2,500 sneakers. Scared, Hack goes to The Police, who assume he'sasking for a subcontracting deal and lease the assassinations to theNRA.

"Soon Hack finds himself pursued by Jennifer Government, atough-talking agent with a barcode tattoo under her eye and a rabiddetermination to nail John Nike (the boss of the other John Nike). Ina world where your job title means everything, the most cherishedpossession is a platinum credit card, and advertising jingles give wayto automatic weapons in the fight for market share, JenniferGovernment is the consumer watchdog from hell."

EPIC Publications:

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2003: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty-five countries around the world. The surveyexamines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

O'Reilly Open Source Convention. July 26-30, 2004. Portland, OR.
For more information:

2004 UK Big Brother Awards. Privacy International. July 28, 2004.
London, UK. For more information:

First Conference on Email and Anti-Spam. American Association forArtificial Intelligence and IEEE Technical Committee on Security andPrivacy. July 30-31, 2004. Mountain View, CA. For more information:

Crypto 2004: The Twenty-Fourth Annual IACR Crypto Conference.
International Association for Cryptologic Research, IEEE ComputerSociety Technical Committee on Security and Privacy, and the ComputerScience Department of the University of California, Santa Barbara.
August 15-19, 2004. Santa Barbara, CA. For more information:

Ninth National HIPAA Summit. September 12-14, 2004. Baltimore, MD.
For more information:

Public Voice Symposium: Privacy in a New Era: Challenges,
Opportunities and Partnerships. Electronic Privacy InformationCenter, European Digital Rights Initiative (EDRi), and PrivacyInternational. September 13, 2004. Wroclaw, Poland. For moreinformation:

The Right to Personal Data Protection -- the Right to Dignity. 26thInternational Conference on Data Protection and Privacy Commissioners.
September 14-16, 2004. Wroclaw, Poland. For more information:

2004 Telecommunications Policy Research Conference. National Centerfor Technology & Law, George Mason University School of Law. October1-3, 2004. Arlington, VA. For more information:

Health Privacy Conference. Office of the Information and PrivacyCommissioner of Alberta. October 4-5, 2004. Calgary, Alberta, Canada.
For more information:

IAPP Privacy and Data Security Academy & Expo. InternationalAssociation of Privacy Professionals. October 27-29, 2004. NewOrleans, LA. For more information:

Privacy and Security: Seeking the Middle Path. Office of theInformation & Privacy Commissioner of Ontario; Centre for InnovationLaw and Policy, University of Toronto; and Center for AppliedCryptographic Research, University of Waterloo. Toronto, Ontario,
Canada. October 28-29, 2004. For more information:

CFP2005: Fifteenth Annual Conference on Computers, Freedom andPrivacy. April 12-15, 2005. Seattle, WA. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 11.13


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback