WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 11

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.10 [2005] EPICAlert 11


Volume 12.10 May 20, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] More Than 40 Groups Oppose Homeland Security's Weak Privacy Rules
[2] EPIC Documents: DC Metro's SmarTrip Collects Vast Traveler Data
[3] Congress Passes Controversial ID Bill Without Debate
[4] Study Shows Data Brokers' Files Error-Ridden, Acxiom Unresponsive
[5] House Bill Would Turn SSN Into a National Identifier
[6] News in Brief
[7] EPIC Bookstore: Jensen & Draffan's "Welcome to the Machine"

[8] Upcoming Conferences and Events

[1] More Than 40 Groups Oppose Homeland Security's Weak Privacy Rules

A coalition of 41 groups including EPIC, American Civil Liberties Union,Council On American-Islamic Relations, and People For The American Way,submitted comments opposing the Department of Homeland Security's planto exempt a vast database from legal requirements that protect privacyand promote government accountability. The coalition stated that theagency's plan leaves individuals without the ability to correctinaccurate information and without protection against possible abuse ofthe database.

According to DHS, the Homeland Security Operations Center Database("HSOCD"), will serve as "a single, centralized repository for gatheredinformation." The agency seeks broad exemptions from key fairinformation principles such as the Privacy Act of 1974 requirements thatan individual be permitted access to personal information, that anindividual be permitted to correct and amend personal information, andthat an agency assure the reliability of personal information for itsintended use. These exemptions would allow DHS to track and profileindividuals, including American citizens who seek to aid homelandsecurity investigations, with little accountability.

For this database, DHS proposes to deny individuals the civil remediesthey have against an agency for failure to comply with its obligationsunder the Privacy Act. Providing individuals with the right to judicialreview is crucial because the new database will have information notonly about suspected criminals, but also about people who offerinformation about terrorism, as well as current and former DHS employeesand contractors. Though the Privacy Act requires an agency to providereasons why the database should be exempted, DHS has not yet provided anexplanation.

The coalition asked DHS to create privacy rules for the database thatwould 1) provide individuals judicially enforceable rights of access andcorrection; 2) limit the collection of information to only that which isnecessary and relevant; and 3) respect individuals' rights to theirinformation that is collected and maintained by the agency.

Coalition Comments on the Proposed Exemptions for the DHS Database (pdf):

The Department of Homeland Security's Notice of Privacy Act Exemptionsfor the Database:

NPR Story: Privacy Groups Sound Warning on Homeland Security Database

EPIC's Privacy Act of 1974 page:

[2] EPIC Documents: DC Metro's SmarTrip Collects Vast Traveler Data

Documents recently obtained by EPIC from the Washington MetropolitanArea Transit Authority show the extensive scope of the data collectedand processed by the SmarTrip program. SmarTrip uses permanent,rechargeable farecards embedded with radio frequency identification(RFID) chips to keep track of the cards' values and travel itineraries.
SmarTrip cards can be used to pay fares on the Metro's rail and bussystems, as well as for parking in Metro parking lots.

The documents show that the SmarTrip program can collect a vast amountof information about a passenger, including personal information such asname, address, and phone number; the place and time of the passenger'sarrival in the Metro system; the place where the passenger exits thesystem; the amount of time the passenger spends traveling within thesystem; and the time and date the passenger enters and leaves a Metroparking lot. This data can be used to create a detailed profile of theSmarTrip cardholder. Most similar records held by state agencies areprotected by law. Currently, only an internal Metro policy protects theinformation collected through the SmarTrip system.

The Washington Metro announced this week a new privacy policy for thecollection and use of SmarTrip data or credit card usage in the Metrosystem. The policy limits disclosure without prior written authorizationfrom the person. It assures individuals access to their own informationand an accounting of disclosures. The Board also approved changes to itsPublic Access to Records Policy, more closely aligning it with thefederal Freedom of Information Act. The changes to that policyestablish certain exemptions and time frames for processing requests,provide for judicial review, and exempt individual SmarTrip data fromdisclosure except in limited instances.

EPIC supported the changes, but noted that the new policy will permitdisclosure of passengers' personal information -- including all SmarTripinformation -- upon written request from the head of a federal, state orlocal government agency in the context of a specific civil or criminallaw enforcement activity.

Documents obtained by EPIC from the Washington Metropolitan Area TransitAuthority (pdf):

EPIC FOIA Note #5: DC Metro Tracks Travelers:

EPIC's comments to DC Metro:

Metro's Proposed Amended Public Access to Records Policy and ProposedPrivacy Policy (approved May 19, 2005) (pdf):

Announcement of New Metro Privacy and Open Records Policy

[3] Congress Passes Controversial ID Bill Without Debate

Congress has passed the supplemental military spending bill to which theREAL ID Act was attached, and President Bush will soon sign thelegislation. The REAL ID Act, a national ID program, mandates federalidentification standards and requires that state DMVs collect sensitivepersonal information. Congress passed REAL ID without a hearing eventhough legislators in both parties urged debate.

Under the REAL ID Act, state DMVs will have to verify identificationdocuments and the legal status of immigrants. States are mandated tolink their databases so that all information collected by each DMV canbe accessed. Several state DMV offices have recently been the targetsof identity thieves.

The National Governors Association and National Conference of StateLegislatures are two of more than 600 organizations that oppose the REALID Act. The NGA and NCSL urged Congress to reject the REAL ID Act andinstead remain committed the driver's license and ID card provisions ofthe Intelligence Reform and Terrorism Prevention Act, which passed inDecember with bipartisan support.

States can choose to opt-out of the program, but REAL ID mandates thatlicenses from opt-out states cannot be used as identification forfederal purposes. This means that residents of states that reject theREAL ID program will not be able to board a plane or enter a federalbuilding with their licenses.

Rep. James Sensenbrenner, the act's sponsor, has estimated that enactingREAL ID would cost $100 million. However, the National Conference ofState Legislatures said it cost states $500 million to $700 million.
Whatever the cost, Congress has not yet allocated any funds for theprogram.

EPIC's National ID Cards and REAL ID page:

Text of H.R. 418, the Real ID Act:

Letter from Bipartisan Senate Coalition on Need for Hearing:
Letter from National Governors Association, American Association ofMotor Vehicle Administrators, National Conference of State Legislatures,Council of State Governments urging rejection of REAL ID:

[4] Study Shows Data Brokers' Files Error-Ridden, Acxiom Unresponsive

PrivacyActivism, a San Francisco-based privacy group, released a studyThursday showing that commercial data brokers Choicepoint and Acxiommaintain files with significant errors. The study also showed thatAcxiom was unresponsive to a number of requests made by individualsattempting to obtain their own dossiers.

In the study, 11 people requested their Choicepoint and Acxiom dossiers.
Although the sample size was small, the results showed significantproblems at both commercial data broker companies. All 11 participantswere successful in obtaining their Choicepoint reports quickly, but allfound errors in their files. Of the sample, 73 percent found errors inbasic biographical information in their Choicepoint reports, whichincludes name, date of birth, current address, and phone number. Otherfields in the reports had errors too, such as length of residence atcurrent and past addresses, real property owned, purchase/sale dates ofreal property. The group also found that three reports identifiedindividuals incorrectly as officers of corporations. Choicepointrecently claimed that only .0008 percent of the company's backgroundchecks have incorrect information, according to the Wall Street Journal.

PrivacyActivism found that only six of the 11 requestors were able toobtain their dossiers from Acxiom. The six that did obtain their reportshad to wait an average of 89 days after their requests to receive aresponse from Acxiom. At least one biographical information error was in67 percent of the Acxiom reports. One Acxiom report identified anindividual by the incorrect gender.

PrivacyActivism study on Choicepoint and Acxiom:

EPIC's Choicepoint page:

[5] House Bill Would Turn SSN Into a National Identifier

EPIC Executive Director Marc Rotenberg testified before the HouseSubcommittee on Immigration, Border Security, and Claims on the "IllegalImmigration Enforcement and Social Security Protection Act of 2005."
EPIC stated that the bill has significant flaws, among them are the lackof adequate privacy and security safeguards.

The bill requires Homeland Security to create a database containinginformation on employment eligibility, as well as information on allcitizens and non-citizens living in the country legally. This wouldtransfer SSN record information from the Social Security Administrationto the Department of Homeland Security, and would dramatically expandthe mission of DHS to include determining who is eligible to work in theU.S.

The bill would require each citizen and non-citizen in the U.S. toprovide this new national identity card to each prospective employer.
Supporters of the bill deny that it will be used as a national ID card,and point a disclaimer in the bill stating: "This card shall not be usedfor the purpose of identification." EPIC stated that employers, facingstiff penalties for hiring ineligible workers, likely would use the SSNcard as a de facto identification card, no matter what disclaimer wasplaced onto the card.

EPIC testified that the SSN was never intended to be a nationalidentifier, and should not be used as such. The subcommittee was urgedto limit the use of the Social Security Number, and to create strongsafeguards for this sensitive personal information.

EPIC's Testimony Before the House Subcommittee on Immigration, BorderSecurity, and Claims (pdf):

Text of H.R. 98: The Illegal Immigration Enforcement and Social SecurityProtection Act of 2005:

View a Webcast of the May 12, 2005 Hearing:

[6] News in Brief

EPIC Testifies in Senate on ID Theft and Data Broker IndustryEPIC Executive Director Marc Rotenberg testified before the SenateCommittee on Commerce, Science and Transportation on identity theft andcommercial data brokers last week. EPIC highlighted the need for alegislative response to the problem of commercial data brokers, such asLexisNexis, Choicepoint, and Acxiom, that house and exploit troves ofpersonal information about individuals. EPIC recommended that theGramm-Leach-Bliley Act's Security Safeguards Rule should be applied todata brokers, and the California data security breach notice law shouldbe extended to the federal level. EPIC also recommended passage of S.
768, the Comprehensive Identity Theft Protection Act, which would limitthe purposes for which data brokers' information could be used, andensure that individuals have a right to access and correct their files.

EPIC's Testimony Before the Senate Committee (pdf):

View a Webcast of the May 10, 2005 Hearing:

EPIC's Choicepoint Page:

Air Travelers Stripped Bare With X-ray MachineThe Transportation Security Administration plans to introduce "virtualstrip search" X-ray machines at select U.S. airports later this year.
The controversial systems, which are already used at by U.S customsagents at 12 airports to screen passengers suspected of carrying drugs,will scan general air travelers. Security workers using the $100,000refrigerator-size machines can see through clothes and show images of aperson's nude body. The machines use "backscatter" technology, whichbounces low-radiation X-rays off of a passenger to produce photo-qualityimages of metal, plastic and organic materials underneath clothes. TSAhas not announced when or where it will test the machines.

EPIC's Air Travel Privacy page:

Survey: U.S. Employers Likely To Monitor, Use Surveillance SystemsA survey of 526 U.S. companies found that 75 percent of companiesmonitor workers' Web site connections, 50 percent store and reviewemployees' computer files, and 55 percent review e-mail messages. Thereport by the American Management Association and the ePolicy Institutealso found that 51 percent of the companies surveyed use videomonitoring, up from 33 percent in 2001. Of the organizations thatmonitor their employees, 80 percent inform workers that the company ismonitoring content, keystrokes and time spent at the keyboard; 82percent notify employees that the company stores and reviews computerfiles; 86 percent alert employees to e-mail monitoring; and 89 percentnotify employees that their Web usage is being tracked.

AMA and ePolicy's 2005 Electronic Monitoring & Surveillance Survey:

EPIC's Workplace Privacy page:

Students Build Database on a Shoestring, Public RecordsComputer science graduate students with $50 and a tight timeline wereable to create databases rich with personal information from legal,publicly available databases. Student groups, led by Johns HopkinsUniversity Professor Aviel Rubin, obtained more than 1 million records,including death records, property tax information, campaign donations,phone books, and business permits. Mr. Rubin and his students wereprofiled recently by the New York Times, along with the work of BettyOstergren, the "Virginia Watchdog," who has found the Social Securitynumbers of prominent officials, including Colin Powell and Porter Goss,in public records.

New York Times Article on the Johns Hopkins Students:

The Virginia Watchdog, Betty "BJ" Ostergren:

EPIC's Social Security Numbers page:

Some U.S. Visitors Must Have High-tech Passports in JuneCitizens from the 27 "visa-waiver" countries must have machine-readablepassports by June 26 or they could be denied entry into the U.S. Anyairline, cruise ship or other transportation carrier that allows avisa-waiver citizen to travel without a machine-readable passport willbe fined $3,300 per person. People with immediate travel plans whocannot obtain a machine-readable passport in time should apply for aU.S. visa. The Department of Homeland Security said the machine-readablepassports will speed the customs process for travelers. This deadline isdifferent from the October 2005 deadline that the State Department hasset for the 27 visa waiver countries to obtain passports containingbiometric data.

State Department's Visa Waiver Program page:

EPIC's Air Travel Privacy page:

Homeland Security Seeks More Data on EuropeansDepartment of Homeland Security Secretary Michael Chertoff announcedthis week that the United States would seek additional information fromEuropean leaders about European air passengers heading to the UnitedStates. The United States and Europe currently have in place anagreement that permits the transfer of European passenger data. ManyEuropean political leaders believe this violates European privacy laws.
The European Parliament has brought a legal challenge against thecurrent policy.

Department of Homeland Security

EPIC's Passenger Profiling page

[7] EPIC Bookstore: Jensen & Draffan's "Welcome to the Machine"

Derrick Jensen & George Draffan, Welcome to the Machine: Science,Surveillance, and the Culture of Control, (Chelsea Green Publishing Co.

"In their new collaboration for the "Politics of the Living" series,Derrick Jensen and George Draffan reveal the modern culture of themachine, where corporate might makes technology right, government moneyfeeds the greed for mad science, and absolute surveillance leads toabsolute control
and corruption. Through meticulous research andfiercely personal narrative, Jensen and Draffan move beyond journalismand exposť to question our civilizationís very mode of existence.
Welcome to the Machine defies our willingness to submit to theinstitutions and technologies built to rob us of all that makes ushuman
our connection to the land, our kinship with one another, ourplace in the living world."

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. May 23-24, 2005. Atlanta, Ga. For moreinformation:

Debating REAL ID: A New National Driver's License? Center for AmericanProgress. May 26, 2005. Washington, DC. For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information ProcessingSystems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 6-7, 2005. San Francisco, CA. For moreinformation:

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 20-21, 2005. New York, NY. For moreinformation:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005. Luxembourg City, Luxenbourg. For more information:

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information:

PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:

Access to Information: Analyzing the State of the Law. RileyInformation Services. September 8, 2005. Ottawa, Ontario. For moreinformation:

5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:

6th Annual Privacy and Security Workshop. Centre for Innovation Law andPolicy (University of Toronto) and the Center for Applied CryptographicResearch (University of Waterloo). November 3-4, 2005. University ofToronto. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: target="new">

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback