WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2004 >> [2004] EPICAlert 21

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 11.21 [2004] EPICAlert 21


Volume 11.21 November 5, 2004

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] 17,000 Election Day Incidents Reported by Voters, Election Staff
[2] EPIC Urges Agency to Postpone Secure Flight Testing
[3] EPIC Recommends Privacy Protections for Public Records
[4] Privacy Officials Denounce Collection of Canadians' Data
[5] EPIC Calls For US-VISIT Data Safeguards
[6] News in Brief
[7] EPIC Bookstore: The Box Man
[8] Upcoming Conferences and Events

[1] 17,000 Election Day Incidents Reported by Voters, Election Staff

The 2004 Election Day saw the largest voter turnout in decades, withrecord numbers reached in many states. The evaluation of the electionmay take weeks or months, but the Election Incident Reporting Systemhas already registered over 17,000 Election Day incidents, includingeverything from glitches in voting technology to problems with how theelection was administered in jurisdictions across the nation. Thegreatest numbers of reports were from California, Florida, Texas,
Ohio, Pennsylvania, and New York. The reports came directly fromvoters and Election Protection staff supplied by voter access projectsconducted under the umbrella of the Leadership Conference on CivilRights. The website used to record incidents was developed by membersof the Computer Professionals for Social Responsibility and VerifiedVoting, with the assistance of members of the National Committee forVoting Integrity.

At a post-election press conference and discussion conducted by theNational Committee for Voting Integrity, committee members reportedthat the need for data and analysis is critical to understanding whatreally happened on Election Day. Any statements regarding successesor failures must be backed by sound research, which is lacking. Whatis routine in most key private or public endeavors is a means ofreporting and investigating problems as they occur. Current UnitedStates election administration, however, does not follow this model.

The National Committee for Voting Integrity announced a number ofelection reform recommendations to be considered in the discussionsthat will follow the election. These recommendations focus onsecuring voting technology from manipulation, establishing integrityin the administration of elections, safeguarding voter privacy, andguaranteeing equal voting rights in federal elections.

Election Incident Reporting System:

National Committee for Voting Integrity:

National Committee for Voting Integrity Recommendations:

Computer Professionals for Social Responsibility:

[2] EPIC Urges Agency to Postpone Secure Flight Testing

Concluding that Secure Flight passenger prescreening proposal is, likeCAPPS II, "exactly the sort of system that Congress sought to prohibitwhen it enacted the Privacy Act of 1974," EPIC has called for the testphase of Secure Flight to be postponed until the TransportationSecurity Administration addresses the program's significant privacyissues. EPIC has also asked that the public's opportunity to commenton the program be extended until the government is willing to makemore information about Secure Flight available to the public.

EPIC's recommendations were made in response to notices published bythe agency in September outlining plans for the test phase of SecureFlight. As described by the TSA, Secure Flight will compare PassengerName Records (PNRs) against information compiled by the TerroristScreening Center, which will include expanded "selectee" and "no fly"
lists. TSA will also seek to identify "suspicious indicatorsassociated with travel behavior" in passengers' itinerary PNR data.
Furthermore, the agency is planning to test the use of commercialdatabases to verify the accuracy of information provided by travelers.
TSA will administer the program, removing all passenger screeningresponsibility from the airlines. The agency also issued a proposedorder that will direct airlines to turn over passenger records fromJune 2004 so that Secure Flight can be tested this fall.

EPIC's comments criticized the lack of transparency in thegovernment's development of Secure Flight, noting that the FBI, TSA,
and Bureau of Customs and Border Protection have all failed todisclose details about the system in response to Freedom ofInformation Act requests. The comments also addressed TSA's failureto provide individuals with meaningful access to personal informationand meaningful opportunities to correct inaccurate, irrelevant,
untimely and incomplete information. EPIC also noted Secure Flight'sexemption from the requirement that a system maintain only informationthat is "relevant and necessary" to perform the system's function.

EPIC concluded that "development of the system should be suspendeduntil TSA and other agencies involved in Secure Flight's developmentare willing to disclose information about the program to thepublic[.]" EPIC also urged the agency not to collect personalinformation about passengers for testing purposes until the SecureFlight proposal has been revised to address the program's significantprivacy issues.

The comment period for the proposal ended just a week after PresidentBush signed into law the Department of Homeland SecurityAppropriations Act of 2005, which withholds funding for the deploymentof Secure Flight until the General Accounting Office examines theprivacy implications and other aspects of the system. The GAO mustsubmit its report no later than March 28, 2005.

EPIC's comments to TSA on the Secure Flight test phase:

EPIC's comments to the Office of Management and Budget on TSA'srequest for emergency processing of June 2004 passenger data:

Privacy Act notice on the test phase of Secure Flight:

Secure Flight privacy impact assessment:

TSA request to the Office of Management and Budget for emergencyprocessing of June 2004 passenger data:

Department of Homeland Security Appropriations Act of 2005:

[3] EPIC Recommends Privacy Protections for Public Records

In comments to a committee formed by the Florida Supreme Court, EPICargued that protections should be in place for personal informationthat appears in public records. EPIC argued that the very purpose ofpublic records -- the ability of the individual to learn about thegovernment -- is turned on its head when the records include excessivepersonal information. Instead of being a citizen's window intogovernment activities, these records are giving the government, lawenforcement, and data brokers a window into our daily lives. Withoutprivacy protections, court and other public records will becommodified for commercial purposes unrelated to government oversight.

States that allow broad access to public records are supplying trovesof data to law enforcement. For instance, ChoicePoint, a company thatsells personal information to law enforcement, includes thirty-sixextra databases on Florida residents and seven extra on Texans. Accessto information on Florida residents is particularly broad. It includesmarriage records, beverage licensees, concealed weapons permits, daycare licensees, handicapped parking permits, "sweepstakes," workercompensation, medical malpractice, and salt water product licensees.

This information is also available to data marketers. In thecomments, EPIC included advertisements for Florida residents'
information from government databases that is sold to marketers. Thedatabases were for residents of Florida with auto insurance, those whoown SUVs, and those who own motorcycles.

EPIC recommended four approaches to reducing privacy risk with respectto court records. First, data should be minimized. That is, thecourt should collect the minimum information necessary to perform itsduties. Second, protection should also be in place for paper recordsbecause sophisticated data aggregators have the resources to visit theactual courthouse and scan paper records to extract data from them.
Third, EPIC recommended that Florida consider limitations on the useof public records so that they are not commodified for commercialpurposes. Last, EPIC emphasized the importance of removing uniqueidentifiers from the records. Social Security Numbers, birth dates,
addresses, and phone numbers all enable data aggregators to linkrecords and resell them for unrelated purposes.

EPIC's comments:

For more information about public record privacy, see EPIC's PublicRecords Page:

[4] Privacy Officials Denounce Collection of Canadians' Data

Two Canadian privacy officials have released reports asserting thatthe war on terror is compromising the privacy of Canadians.

In her annual report to Parliament, Canadian Privacy CommissionerJennifer Stoddart noted that increased collection of personalinformation in the name of national security poses a grave threat tocivil liberties. "Personal information about Canadians continues tobe gathered, stored, sorted and shared in alarming amounts on thebasis of the idea -- however unproven -- that more information aboutindividuals equals greater security against terrorists and otherthreats," Ms. Stoddart's report says. "We are concerned about theincreasing integration of our border security with that of the UnitedStates, and the impetus this gives to the collection of largedatabases of personal information about travellers, potentialtravellers, and people in the transportation industry who must crossborders regularly to do their jobs."

Ms. Stoddart further argued that "we must ensure the privacy rights ofindividuals are not lost or submerged in the chorus of voices callingfor more security, more data, and more information about all of us."

Ms. Stoddart's findings were released shortly after a related reportby British Columbia's Information and Privacy Commissioner DavidLoukidelis was made public. Mr. Loukidelis' report concluded that theUSA PATRIOT Act violates British Columbian privacy laws, and thatpersonal information about Canadians may be accessible to the U.S.
government under the Act. Mr. Loukidelis' report analyzed thepossible impact of outsourcing British Columbia government functionsto U.S. companies, and what happens when the U.S. government ordersthose companies to turn over Canadian information through the USAPATRIOT Act.

The report concluded that changes to privacy law and other measuresare necessary to protect British Columbians' personal informationagainst seizure under the controversial American law. Recommendationsin the report include prohibiting personal information possessed by apublic body from being sent outside British Columbia for management,
storage or safekeeping and auditing outsourcing contracts and datamining activities to assure that companies and government entities inBritish Columbia comply with Canadian federal privacy laws.

Mr. Loukidelis' report was released just days after the BritishColumbia provincial government passed a bill intended to protectBritish Columbians against the USA PATRIOT Act. Mr. Loukidelis calledthe changes made by the new law "positive steps forward," butconcluded that "further amendments should be considered to strengthenand clarify the new provisions."

Privacy Commissioner of Canada's annual report to Parliament:

Information and Privacy Commissioner of British Columbia's report onthe USA PATRIOT Act:

For more information about the USA PATRIOT Act, see EPIC's USA PATRIOTAct Page:

[5] EPIC Calls For US-VISIT Data Safeguards

EPIC warned the Department of Homeland Security this week of thedangers of the expansion of a controversial border protection program.
In its November 1 filing with the agency, EPIC commented on potentialprivacy implications of the United States Visitor and Immigrant StatusIndicator Technology (US-VISIT) program. This program, in operationsince January 5, requires most foreign travelers to providefingerprints and photographs upon entering and exiting the U.S. atselected ports.

This entry-exit system is based upon a vast network of databasescontaining alien arrival and departure data accessible frommachine-readable visas, passports and other travel documents. Theidentifiers, which may expand to include other forms of biometrics,
are not only used to conduct identity and background checks, but arealso shared with outside law enforcement systems.

EPIC's comments were filed in response to an interim rule published byDHS expanding US-VISIT to the 50 busiest land border points of entryinto the United States by the end of this year. It also expanded thecategory of individuals who must provide biometric identifiers andother identifying information to include visitors who travel to theUnited States through the Visa Waiver Program, as well as Mexicancitizens traveling to and from the United States.

EPIC's comments stressed the dangers of mission creep, pointing outthat DHS has provided no legal basis to "authorize widespreaddisclosure of data for purposes wholly unrelated to the entry-exitsystem's goals," such as allowing the FBI direct access to US-VISITinformation. To guard against this problem, EPIC recommended that thegovernment apply international privacy standards to the collection anduse of personal information of non-U.S. citizens.

The comments also emphasized the importance of safeguarding theaccuracy and security of the information collected through US-VISIT.
The DHS interim rule pledges to develop "the most accurate andefficient" method of collecting information by evaluating the cost andexpediency of the options. EPIC pointed out that these goals can notbe met unless the agency focuses on the rate of error associated withthe system and the potential for unauthorized access to theinformation.

US-VISIT has implemented a three-step system for correcting errorscontained in its database. EPIC's comments commended this step as amuch-needed protection, but urged the agency to recognize some form ofjudicial review of its internal decisions.

EPIC's comments on the US-VISIT program:

For more information about the US-VISIT program, see EPIC's US-VISITpage:

[6] News in Brief

In a September 21 decision, the Court of Justice of the EuropeanCommunities denied the European Parliament's request that the courtquickly review a complaint on the Passenger Name Records (PNR)
agreement passed last May between the Department of Homeland Securityand the European Commission. The European Parliament claimed last Maythat the PNR agreement should be annulled, arguing that it violatesEuropean data protection legislation, and that the EuropeanParliament's assent is necessary for the agreement to enter intoforce.

The court held that an emergency ruling would not prevent the "seriousconsequences" the PNR agreement may have on the passengers concerned.
The European jurisdiction observes that in order to exclude or limitthe legal consequences of the PNR agreement on passengers, theEuropean Parliament should have applied for a preliminary injunction(demande de sursis à l'exécution), which was the most appropriateprocedure available.

The Court's ruling on the PNR agreement is not likely to be issueduntil the end of 2007, just as the agreement expires.

The court's decision: (in French)

For more information about the agreement, see EPIC's EU-U.S. AirlinePassenger Data Disclosure Page:

In comments filed October 25, EPIC urged the Transportation SecurityAdministration to safeguard personal information in two datacollection programs. The Transportation Workers IdentificationCredentialing System (TWIC) and the Transportation Security ThreatAssessment System (T-STAS) are intended to compile data on a varietyof people directly and indirectly related to the transportationindustry, including flight crews, passenger screeners, and aliens or"other individuals designated by TSA" who apply for flight training.
The comments noted the dangers of identity theft, misappropriation andmission creep if the data collected for these programs are notproperly protected. EPIC stressed that "TSA must take great care toensure that both collections do not become error-filled, invasiverepositories of all sorts of information bearing no relationship totheir stated goal."

EPIC's comments on TWIC and T-STAS:

EPIC's air travel privacy page:

A recent survey by Artafact LLC and BIGresearch reveals that amajority of consumers who are aware of RFID technologies are "very orsomewhat concerned about invasion of privacy issues." 88% ofrespondents concerned with privacy cited the government as theorganization most likely to abuse consumer privacy information. Afterthe government come "crooks and bad guys," banks, insurance companiesand credit card companies as the entities most likely to abuseconsumers' personal information. Only 35% of consumers concernedabout protecting their personal information believed that RFID (RadioFrequency Identification) is a "good idea." Although consumerssurveyed also recognized the benefits of easily tracking merchandiseand preventing theft for businesses, many of them believe they willnot reap any benefit from RFID technology and are concerned withpotential for misuse, given the lack of any safeguards.

Previous surveys have shown similar consumer privacy concerns. A June2004 study conducted by Capgemini Group and the National RetailFederation found that 77% of more than 1,000 consumers surveyed werenot familiar with RFID. Of those that were familiar with RFID, lessthan half (42%) had a favorable perception of the technology, while31% had no opinion. An Auto-ID Center/Proctor & Gamble-sponsoredsurvey, not intended for public dissemination, found that 78% ofrespondents had a negative reaction to RFID use, with more than halfof the respondents claiming to be extremely or very concerned. Thestudy also found that consumers did not want "smart tags" in theirhomes, and the reassurance that the "tags" could be turned off andprivacy guaranteed was not compelling.

The Artafact LLC and BIGresearch study:
The Auto-ID Center/Proctor & Gamble survey:

For more information about radio frequency identification, see EPIC'sRFID Page:

In a notice published in the Federal Register, the Selective ServiceSystem announced that it will begin matching its records with theDepartment of Education. The stated purpose of the data matching isto determine whether students with federal student aid loans haveregistered for the draft, as federal law prohibits unregisteredindividuals from receiving government funds under the Higher EducationAct of 1965.

Federal Register Notice:

For more information about the Privacy Act, see EPIC's Privacy ActPage:

A brother and sister from North Carolina became the first people inthe nation convicted on felony spamming charges this week. A jury inLoudon County, Virginia, found both Jeremy Jaynes and his sister,
Jessica DeGroot, guilty of three felony violations of the Virginiaanti-spam law for flooding the email accounts of America Online userswith more than 10,000 unsolicited commercial ads from fake Internetaddresses in just three days. The jury, in what could be viewed as astatement on the value placed on this form of commercial speech,
recommended a sentence of nine years in prison for Jaynes, and a fineof $7,500 for DeGroot. A third defendant was acquitted on all threecounts.

For more information about spam, see EPIC's Spam Page:

[7] EPIC Bookstore: The Box Man

Kobe Abe, The Box Man (Vintage Books 1974).

The Box Man is a study of a nameless protagonist who dons a box andobserves life in anonymity, often wandering in circles around Tokyo.
It's a hilarious story, complete with air gun-wielding objectors tobox men, "fake" or wanna-be box men, and a strange woman who isconstantly undressing. There is perhaps no concise way to explainthis work, as much of it is either imagination or dream, so I havesimply quoted from it:

"This is a record of a box man."

"I am beginning this account in a box. A cardboard box that reachesjust to my hips when I put it on over my head."

"That is to say, at this juncture the box man is me. A box man, inhis box, is recording the chronicle of a box man."

". . . [I]t requires considerable courage to put the box on, over yourhead, and get to be a box man . . . as soon as anyone gets into thissimple, unprepossessing paper cubicle and goes out into the streets,
he turns into an apparition that is neither man nor box . . ."

Chris Jay Hoofnagle

EPIC Publications:

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Privacy & Human Rights 2003: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $35.
This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty-five countries around the world. The surveyexamines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

BloggerCon III. Stanford Law School. November 6, 2004. Palo Alto,
CA. For more information:

Copyright & Privacy: Collision or Coexistence? The John Marshall LawSchool. November 18, 2004. Chicago, IL. For more information:

The 2004 Isaac Pitblado Lectures: Privacy -- Another Snail in theGinger Beer. The Law Society of Manitoba, The Manitoba BarAssociation and the University of Manitoba Faculty of Law. November19-20, 2004. Manitoba, Canada. For more information:

2004 Big Brother Awards Hungary. November 25, 2004. Budapest,
Hungary. For more information:

Africa Electronic Privacy and Public Voice Symposium. The PublicVoice. December 6, 2004. Capetown, South Africa. For moreinformation:

National Security, Law Enforcement and Data Protection. BritishInstitute of International and Comparative Law Data ProtectionResearch and Policy Group. December 8, 2004. London, UK. For moreinformation:

3rd Annual Digital Rights Management Conference 2005. Ministry ofScience and Research of the State Northrhine Westfalia, Germany.
January 13-24, 2005. Berlin, Germany. For more information:

12th Annual Network and Distributed System Security Symposium. TheInternet Society. February 3-4, 2005. San Diego, CA. For moreinformation:

14th Annual RSA Conference. RSA Security. February 14-18, 2005. SanFrancisco, CA. For more information:

The World Summit on the Information Society PrepCom 2. February17-25, 2005. Geneva, Switzerland. For more information:

The Concealed I: Anonymity, Identity, and the Prospect of Privacy. Onthe Identity Trail and the Law and Technology Program at theUniversity of Ottawa. March 4-5, 2005. Ottawa, Canada. For moreinformation:

O'Reilly Emerging Technology Conference. March 14-17, 2005. SanDiego, CA. For more Information:

7th International General Online Research Conference. GermanSociety for Online Research. March 22-23, 2005. Zurich, Switzerland.
For more information:

5th Annual Future of Music Policy Summit. Future of MusicCoalition. April 10-11, 2005. Washington DC. For more information:

CFP2005: Fifteenth Annual Conference on Computers, Freedom andPrivacy. April 12-15, 2005. Seattle, WA. For more information:

2005 IEEE Symposium on Security and Privacy. IEEE Computer SocietyTechnical Committee on Security and Privacy in cooperation with TheInternational Association for Cryptologic Research. May 8-11, 2005.
Berkeley, CA. For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information ProcessingSystems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 11.21


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback