WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2004 >> [2004] EPICAlert 22

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 11.22 [2004] EPICAlert 22


Volume 11.22 November 18, 2004

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Releases 2004 Privacy & Human Rights Report
[2] Agency Orders 72 Airlines to Turn Over Passenger Information
[3] EPIC Joins Coalition to Support Privacy in Email Intercept Case
[4] Government Report Finds SSNs in Many State, County Records
[5] FTC Proposes Major Telemarketing Loophole
[6] News in Brief
[7] EPIC Bookstore: Privacy & Human Rights 2004
[8] Upcoming Conferences and Events

[1] EPIC Releases 2004 Privacy & Human Rights Report

The Electronic Privacy Information Center and Privacy Internationalreleased the seventh annual Privacy & Human Rights survey on November17. This report reviews the state of privacy in more than sixtycountries around the world. It outlines legal protections for privacyand new challenges, and summarizes important issues and eventsrelating to privacy and surveillance.

The 2004 survey points to several key global developments that havetaken place in the last year, from the establishment of travelerprofiling systems, the creation of biometric IDs and smart cards tothe use of radio frequency identification technologies, videosurveillance, and DNA and health information databases. Governmentauthorities and private companies have increased their use of thesenew technologies and been keen on setting up sophisticatedidentification and surveillance of their citizens, customers andemployees.

As the use of such technologies has increased, many countries aroundthe world have pursued policy and legislative efforts to respond tothe threat of terrorism. These efforts are intended to provide lawenforcement and national security agencies with more tools of controland intensify collection of information and data sharing, thanks to agrowing cooperation between government agencies and the privatesector, while limiting means of oversight of those practices.

Several governments, the United States government taking the lead,
have deployed new measures to facilitate the identification andtracking of people traveling across country borders, from passengerprescreening and profiling systems to biometric travel documents anddatabases for foreigners. Many governments have established newnational ID schemes. Others have revived schemes that were rejectedin the past due to lack of public support or legitimacy, coveringfirst foreigners and minority populations, and extending them later toall citizens.

Video surveillance, smart cards and DNA databases also present growingrisks to individuals' privacy, as do the use of radio frequencyidentification technologies in the private and public sectors. Somecriticisms of these new technologies focus on the lack of adequatedata protection laws in the countries in which they are used. Othersquestion the increasing number of purposes for which thesetechnologies are used regardless of the motives that originallyjustified their deployment.

Opposition to these technologies has been voiced by numerousstakeholders. National parliaments have questioned the legitimacy ofsome of the technologies or their presumed effectiveness. Dataprotection authorities have issued reports and filed complaints topinpoint ethical, legal and social implications for citizens' civilliberties and privacy rights. Human rights groups have organizedcoalitions to oppose some of the most intrusive surveillanceproposals.

Progress for privacy is also noticeable in the 10 new European MemberStates, mostly in Eastern Europe, where the EU Data ProtectionDirective has been transposed in the legal framework. Furthermore,
Asian and Latin American countries have passed new privacy legislationto tackle the potential misuse of personal information by newtechnologies.

To learn more about the report or purchase copies, visit the EPICBookstore:

The report is also available online at Privacy International's website:

[2] Agency Orders 72 Airlines to Turn Over Passenger Information

The Transportation Security Administration has demanded that 72airlines turn over a month's worth of passenger data to test theSecure Flight passenger prescreening program. The airlines have beentold they must give the agency all Passenger Name Records (PNRs) fromJune 2004 domestic flights by November 23.

The order will affect PNRs of about 50 million passengers. Data thatwill be disclosed to the government may include such sensitiveinformation as credit card numbers, travel itineraries, addresses,
telephone numbers and meal requests, which could reveal a passenger'sreligion or ethnicity.

TSA has exempted the information collected during the test phase ofSecure Flight from important protections provided by the Privacy Act,
such as judicially enforceable rights to access and correct personaldata. The agency has also exempted the test phase from the PrivacyAct requirement that the government maintain only information that is"relevant and necessary" to perform the test phase.

As proposed by the TSA, Secure Flight will compare PNRs againstinformation compiled by the Terrorist Screening Center, which willinclude expanded "selectee" and "no fly" lists. TSA will also seek toidentify "suspicious indicators associated with travel behavior" inpassengers' itinerary PNR data. Furthermore, the agency is planningto test the use of commercial databases to verify the accuracy ofinformation provided by travelers.

TSA received about 500 comments from the public last month in responseto the Secure Flight proposal. Most of those who commented voicedconcern about Secure Flight's implications for privacy and other civilliberties.

Under the recently passed Department of Homeland SecurityAppropriations Act of 2005, no funding may be used to deploy SecureFlight until the Government Accountability Office examines the privacyimplications and other aspects of the program. The GAO must submit itsreport on Secure Flight to Congress no later than March 28, 2005.

TSA's order to airlines to turn over June 2004 PNRs:

For more information about passenger prescreening, see EPIC'sPassenger Profiling Page:

[3] EPIC Joins Coalition to Support Privacy in Email Intercept Case

EPIC joined five civil liberties groups to file a "friend of thecourt" brief encouraging the First Circuit Court of Appeals tooverturn a controversial ruling on email privacy.

In June, a three-judge panel held in United States v. Councilman thatan email service provider did not violate criminal wiretap laws byacquiring users' incoming emails without their knowledge or consent togain a commercial advantage over a competitor. Because the emailswere not actually in wires or cables between computers when accessed,
but were instead temporarily stored on the service provider's computersystem, the panel found the emails could not have been "intercepted"
in violation of wiretap law. The First Circuit has withdrawn thepanel decision and is reconsidering the case.

The civil liberties groups' brief argued that the panel's decisioncreates serious constitutional questions under the Fourth Amendmentguarantee against unreasonable search and seizure. The brief was alsojoined by the Center for Democracy and Technology, Electronic FrontierFoundation, American Civil Liberties Union, American LibraryAssociation, and Center for National Security Studies.

Senator Patrick Leahy (D-VT) also filed an amicus brief discussingwhat Congress had in mind when it extended legal protections to emailin 1986. Senator Leahy, the sponsor of the Senate version of thelegislation that became the Electronic Communications Privacy Act,
argued that the panel's decision fails to recognize Congress' intentto protect the privacy of electronic communications when the Act waspassed, and should be reversed.

Five technical experts also filed a brief in favor of Internetprivacy, explaining that email should receive full legal protectionwhile in transmission. "Internet-based mail services clearlydistinguish between the routine storage that occurs when a messagereaches its destination . . . and the temporary 'storage' that occursas electronic mail moves in many discrete steps from sender torecipient," the brief argued. The technical experts endorsing thebrief were Dr. Whitfield Diffie, Chief Security Officer of SunMicrosystems; Dr. Edward W. Felten, Professor of Computer Science atPrinceton University; Dr. John R. Levine, Chair of the InternetResearch Task Force Anti-Spam Research Group; Dr. Peter G. Neumann,
Principal Scientist in the Computer Science Lab at SRI International;
and Dr. Bruce Schneier, Chief Technical Officer of CounterpaineSecurity.

The First Circuit will hear oral arguments in the rehearing nextmonth.

Amicus brief filed by civil liberties groups:

Amicus brief filed by Senator Leahy:

Amicus brief filed by technologists:

For more information about the case, see EPIC's United States v.
Councilman Page:

[4] Government Report Finds SSNs in Many State, County Records

The Government Accountability Office, the investigative arm ofCongress, has released a report finding that Social Security Numbers(SSNs) "are widely exposed to view in a variety of public records,
particularly those held by state and local government." The GAOestimated that "individuals' SSNs are displayed in some public recordsin 80 to 94 percent of U.S. counties." The GAO also found thatagencies in "41 states as well as the District of Columbia reportedholding at least one type of public record that shows the SSN." SSNswere most frequently found in court and property records.

SSNs were less likely to be found in the public records of federalexecutive agencies because of protections provided by the Privacy Act.
However, the GAO did report finding SSNs in some federal courtrecords.

These findings are important because the presence of SSNs in publicrecords "increases the likelihood that they will be misused forinappropriate mining of personal information, violation of privacy,
and identity theft." Indeed, public records are a major source forpersonal information used by data brokers and direct marketers. Oncepersonal information appears in a public record, some data brokers cancollect, use, and disclose the information without any privacyobligations. There is also a risk that identity thieves will minepublic records in order to locate new victims.

The report also noted that 57 million identification cards bearing afull SSN have been issued by the federal government to employees andindividuals in benefits programs or the military. The GAO reportedthat the practice "puts cardholders at risk for identity theft due tothe increased potential for accidental loss, theft, or visualexposure." The GAO recommended that the government investigate SSNdisplay on identification cards and develop a unified approach toaddressing the problem.

The report was requested by Representative Clay Shaw (R-FL), theChairman of the Ways and Means Subcommittee on Social Security. Rep.
Shaw has been a consistent supporter of greater privacy protectionsfor SSNs.

Government Accountability Office, Social Security Numbers: GovernmentsCould Do More to Reduce Display in Public Records and on IdentityCards:

For more information about the privacy of Social Security Numbers, seeEPIC's SSN Page:

For more information about public record privacy, see EPIC's PublicRecords Page:

[5] FTC Proposes Major Telemarketing Loophole

The Federal Trade Commission has proposed to create a loophole intelemarketing regulations that will allow companies to deliver"prerecorded message telemarketing" to their existing customers. Thistype of telemarketing also leaves "answering machine spam," unwantedmessages on voicemail. Even those enrolled in the Do-Not-CallRegistry will be affected by the proposed loophole.

Under the proposal, companies could call their current customers andplay a recorded message. The message would have to give the consumeran opportunity to opt out of the calls, either by pressing a button orby calling a toll-free number. The key to the proposal is thedefinition of businesses' "current customers." Under the Do-Not-CallRegulations, a business relationship exists whenever an individualmakes an inquiry about or buys any product or service. Inquiriescreate a relationship for three months; purchases for eighteen. Duringthat period, the company can make telemarketing calls even if theindividual is enrolled in the Do-Not-Call Registry, and the individualmust opt out of each business relationship individually. Technically,
under the regulations, buying a cup of coffee creates a businessrelationship that permits telemarketing for eighteen months.

The Commission's proposal comes at a time where technology andbusiness practices could create the "perfect storm" for a barrageunwanted telemarketing and answering machine spam. Technologically,
with Internet telephony (VoIP), it now is easier and less expensive touse a regular computer to initiate automated, prerecorded voice calls.
Additionally, many retail businesses are asking for identificationinformation at the point of sale. Companies collecting thisinformation could exploit this loophole to send volumes of prerecordedtelemarketing and answering machine spam.

In proposing this loophole, the Commission is acting on a petitionbrought by the Voice Mail Broadcasting Corporation, a company thatautomates the delivery of messages to answering machines. A newsarticle from 1999 indicates that the company could make 1.5 millioncalls a day. If the loophole is accepted, other companies are likelyto clone the practice, resulting in an increase of unwantedtelemarketing.

EPIC and a coalition of privacy groups will file formal comments onthe loophole, stressing that individuals can opt in to this form oftelemarketing if they choose, but that a mere business relationshipshould not authorize companies to deliver prerecorded messages. TheCommission is accepting comments until January 10, 2005.

Proposed amendment to the telemarketing sales rule:

Anyone may comment on this loophole by visiting the FTC comment website:

[6] News in Brief

Giving in to the House in negotiations over legislation to implementthe recommendations of the 9/11 Commission, the Senate agreed to allowthe government's intelligence budget to remain classified. Thisdecision undermines the Commission's finding that Congressionaloversight of intelligence must be improved, and supports a traditionof secrecy and extensive classification that may frustrate publicoversight and press reporting on matters of national interest.

In exchange for this compromise with the House, the legislation wouldnow call for "exclusive" authority by the national intelligencedirector over the National Intelligence Program budget. Currently,
the defense secretary controls approximately 80 percent of funding forgovernment intelligence.

For more information about the Commission's findings, see EPIC's pageon the 9/11 Commission recommendations:

EPIC and Private Citizen, Inc. argued in a brief to the GeorgiaSupreme Court that "junk faxing is simply electronic trespass as ameans to committing advertising by theft -- the electronic equivalentof junk mail sent postage due." In the case, Carnett's Inc. v.
Michelle Hammond, the court will determine whether individuals canbring class action suits under the Telephone Consumer Protection Act,
a law that prohibits the sending of "junk faxes," unsolicitedcommercial facsimile messages. EPIC argued that class actions areessential to the law's effectiveness, noting that junk faxerscollectively transmit two billion messages a year. The brief alsoargues that no "established business relationship" exemption existsthat would permit sending unwanted faxes.

Coalition brief on junk faxes:

For more information about junk faxing, see EPIC's Telemarketing andJunk Fax Page:

Drug manufacturers will soon add radio frequency identification (RFID)
tags to bottles of prescription pills. This move comes after the Foodand Drug Administration (FDA) issued voluntary guidelines liftingrestrictions on labeling that may have discouraged companies fromtesting out the technology. The RFID tags will be used to combat thesmall but growing problem of prescription drug counterfeiting byallowing tracking of wholesale drug products from manufacturers topharmacies. Tags will first be used in a test phase that will lastuntil December 31, 2007. In February 2004, the FDA issued a reportentitled "Combating Counterfeit Drugs" which encouraged drugmakers touse RFID chips on their products.

In a position statement issued in November 2003 on RFID technology,
almost 50 consumer privacy and civil liberties organizations aroundthe world found the use of RFID tags for tracking pharmaceuticalsacceptable as long as the tags help ensure the drugs are notcounterfeit, are handled properly and dispensed appropriately, and thetags contained on or in the pharmaceutical containers are physicallyremoved or permanently disabled before being sold to consumers.

For more information about radio frequency identification technology,
see EPIC's RFID Page:

California has passed Proposition 69, a measure that requires a DNAsample to be taken from every adult and juvenile convicted of a felonyand from every adult arrested on suspicion of murder or certain sexcrimes in the state. The law will expand in 2009 to includeindividuals arrested on suspicion of any felony and certainmisdemeanors. Retroactive provisions require that samples also beobtained from some California prison inmates and parolees not coveredunder previous law, which applies only to those convicted of seriousfelonies. The new law will add tens of thousands of new DNA profilesto a statewide database, which in turn feeds into the FBI's nationalDNA database.

For more information about DNA privacy, see EPIC's Genetic PrivacyPage:

The 15th annual conference on Computers, Freedom & Privacy takes placefrom Tuesday, April 12, to Friday, April 15, 2005, in Seattle,
Washington. The theme of the conference is "Panopticon." Theconference's program committee is currently accepting proposals forconference sessions and speakers. Submit your ideas by December 31,

CFP 2005:

[7] EPIC Bookstore: Privacy & Human Rights 2004

Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments (EPIC 2004).

This annual report by EPIC and Privacy International reviews the stateof privacy in more than sixty countries around the world. It outlineslegal protections, new challenges, and summarizes important issues andevents relating to privacy. Privacy & Human Rights 2004 is the mostcomprehensive report on privacy and data protection ever published.

The 2004 edition of Privacy & Human Rights documents the continuedexpansion of government surveillance authority. Many countries havepursued new identification schemes, expanded monitoring ofcommunications, weakened data protection laws, and intensified datatransfers between the public and private sectors.

The 2004 Privacy & Human Rights report also finds continuingopposition to traveler profiling systems, secret video surveillance,
smart cards, DNA and health information databases, and radio frequencyidentification (RFID) technologies. New topics for 2004 includetravel privacy, electronic voting, census, nanotechnologies, and theWorld Summit on the Information Society. The 2004 survey notes theadoption of new data protection and open government laws, and includesnew country reports from Latin America, Africa, and Asia.

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

The 2004 Isaac Pitblado Lectures: Privacy -- Another Snail in theGinger Beer. The Law Society of Manitoba, The Manitoba BarAssociation and the University of Manitoba Faculty of Law. November19-20, 2004. Manitoba, Canada. For more information:

2004 Big Brother Awards Hungary. November 25, 2004. Budapest,
Hungary. For more information:

Africa Electronic Privacy and Public Voice Symposium. The PublicVoice. December 6, 2004. Capetown, South Africa. For moreinformation:

National Security, Law Enforcement and Data Protection. BritishInstitute of International and Comparative Law Data ProtectionResearch and Policy Group. December 8, 2004. London, UK. For moreinformation:

3rd Annual Digital Rights Management Conference 2005. Ministry ofScience and Research of the State Northrhine Westfalia, Germany.
January 13-24, 2005. Berlin, Germany. For more information:

12th Annual Network and Distributed System Security Symposium. TheInternet Society. February 3-4, 2005. San Diego, CA. For moreinformation:

14th Annual RSA Conference. RSA Security. February 14-18, 2005. SanFrancisco, CA. For more information:

The World Summit on the Information Society PrepCom 2. February17-25, 2005. Geneva, Switzerland. For more information:

The Concealed I: Anonymity, Identity, and the Prospect of Privacy. Onthe Identity Trail and the Law and Technology Program at theUniversity of Ottawa. March 4-5, 2005. Ottawa, Canada. For moreinformation:

O'Reilly Emerging Technology Conference. March 14-17, 2005. SanDiego, CA. For more Information:

7th International General Online Research Conference. GermanSociety for Online Research. March 22-23, 2005. Zurich, Switzerland.
For more information:

5th Annual Future of Music Policy Summit. Future of MusicCoalition. April 10-11, 2005. Washington DC. For more information:

CFP2005: Fifteenth Annual Conference on Computers, Freedom andPrivacy. April 12-15, 2005. Seattle, WA. For more information:

2005 IEEE Symposium on Security and Privacy. IEEE Computer SocietyTechnical Committee on Security and Privacy in cooperation with TheInternational Association for Cryptologic Research. May 8-11, 2005.
Berkeley, CA. For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information ProcessingSystems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 11.22


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback