WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 12

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.11 [2005] EPICAlert 12


Volume 12.11 June 2, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
Table of Contents

[1] Report: Consumers Vulnerable to Profiling, Price Discrimination
[2] EPIC Urges Close Scrutiny of Sunsetting USA PATRIOT Act Provisions
[3] Government Proposes to "Virtually Strip Search" Air Passengers
[4] Government Report: Federal Agencies' RFID Plans Flawed
[5] Conference in Congo Covers Privacy Policies and Internet Governance
[6] News in Brief
[7] EPIC Bookstore: Larry Selden & Geoffrey Colvin: Good & Bad Customers
[8] Upcoming Conferences and Events

[1] Report: Consumers Vulnerable to Profiling, Price Discrimination

A new report released by the Annenberg Public Policy Center shows thatconsumers are largely unaware of how their personal information is usedby businesses, and they object to behavioral profiling, pricediscrimination, and the purchase of their personal information fromdatabase companies. The report also found that the respondentsincorrectly believe that "laws prevent online and offline stores fromselling their personal information," and that "stores cannot charge themdifferent prices based on what they know about them." The report isbased on a phone survey of 1,500 Internet-using adults. It focuses ontwo trends that are driven by the collection of personal information:
behavioral targeting, where individuals are presented different productsbased on their shopping habits; and price discrimination, whereindividuals are charged differently based on what the business knowsabout consumers.

Using "first degree" price discrimination, a company can determine themaximum that an individual is willing to pay for a product, and engagein "dynamic" pricing. This enables sellers to hawk the same products atthe same time to different people at different prices. Dynamic pricingis even easier to employ in an online environment, where users aretracked by registration data and cookies.

The report was presented a press conference at the National Press Clubby Annenberg Public Policy Center Professor Joe Turow. Joining ProfessorTurow at the event were FTC Commissioner John Liebowitz, EPIC ExecutiveDirector Marc Rotenberg, and Professor Rene Hobbs.

Mr. Rotenberg said that the report demonstrated the need for the FederalTrade Commission to safeguard consumer privacy. "Privacy policies havefailed to provide meaningful protection for American consumers. Onlineprofiling also raises the risk of 'digital redlining' that will excludesome consumers from the marketplace. It is the FTC's role to safeguardonline privacy, and crackdown on unfair business practices," said Mr.

The Annenberg report recommends three courses of action. First, because75% of Internet users incorrectly believe that a site with a privacypolicy does not share information with third parties, companies shoulduse the label "Using Your Information" rather than "Privacy Policy" todescribe their data handling practices. Second, school systems shoulddevelop consumer education and media literacy curricula. Finally, inlight of a finding that the vast majority of respondents believe thatthey could be harmed by commercial collection of personal information,the study's authors called for more transparency in data handlingpractices.

"Open to Exploitation: American Shoppers Online and Offline" byAnnenberg Public Policy Center of the University of Pennsylvania (pdf):

EPIC's Choicepoint page:

[2] EPIC Urges Close Scrutiny of Sunsetting USA PATRIOT Act Provisions

The Senate Select Committee on Intelligence is considering legislationthat would reauthorize the sunsetting provisions of the USA PATRIOT Actand expand the FBI's investigative powers. Included in the draft billare provisions that would (1) give the FBI greater authority to demandthat the U.S. Postal Service perform mail covers and (2) permit the FBIto issue "administrative subpoenas" in foreign intelligence andterrorism investigations.

EPIC issued a statement for the record for the Committee's May 24hearing. EPIC urged the Committee to carefully consider whether eachsunsetting provision should be reauthorized as written or whethermodifications are necessary, rather than simply voting to renew allprovisions as currently written. In addition, EPIC urged the Committeeto oppose the expansion of the FBI's investigative powers absentevidence that such expansion is necessary. EPIC said that the executivebranch has not publicly demonstrated a need for providing greaterauthority to the FBI, that there is no indication that such authority isnecessary for the FBI to ensure national security, and that theprovisions reach far beyond any authority publicly sought by the FBI.

In addition, EPIC, along with twenty-four other organizations, sent aletter to the Chairman and Vice Chairman of the Committee urging themnot to grant the FBI authority to write their own search and disclosureorders without judicial approval. The letter reminded the Committee ofU.S. Attorney General Alberto Gonzales's repeated emphasis that theprior judicial approval required under current law is a safeguardagainst abuse and that current law gives the FBI far-reaching compulsorypowers to obtain any relevant information when it is investigatingterrorism. Additionally, the letter stated that the burden of proofestablished by the 9/11 Commission for retaining and adding particulargovernmental powers has not been satisfied and the adoption of theprovision would give the FBI unjustified and unaccountable new powers.

EPIC Statement for the Record:
Joint Opposition Letter:

EPIC's USA PATRIOT Act Sunset page:

[3] Government Proposes to "Virtually Strip Search" Air Passengers

The Transportation Security Administration (TSA) recently announced thatit would expand the use of new X-ray machines to general air passengerstraveling at 16 select airports throughout the U.S. TSA said it believesthat use of the machines to search air travelers is less invasive thanpat-down searches. However, the use of these machines, which show imagesof a person's naked body, do pose a risk to the privacy rights of airtravelers.

The machines use high-energy X-rays that are more likely to scatter thanpenetrate materials as compared to lower-energy X-rays used in medicalapplications. Although this type of X-ray is said to be harmless it canmove through other materials, such as clothing. A passenger is scannedby moving a single high energy X-ray beam rapidly over her body. Thesignal strength of detected backscattered X-rays from a known positionthen allows a highly realistic image to be reconstructed. In the caseof airline passenger screening, the image is of her nude form. Theimage resolution of the technology is high, so the picture of the bodypresented to screeners is detailed.

The $100,000 backscatter machines were previously tested at 12 airportsby U.S. Customs agents who screened passengers suspected of carryingdrugs. The machines are also being used at London's Heathrow airport.
TSA has not formally announced when or where the backscatter machineswill be used to screen regular air travelers. However, media reportshave revealed some of the airports where the machines will be used. Theairports include: Baltimore/Washington, Dallas/Fort Worth, Jacksonville,Phoenix and San Francisco.

Legal experts believe that the use of the device by government agenciescould be an impermissible search, under both the US constitution andEuropean privacy law.

EPIC's Backscatter Technology page:

EPIC's Air Travel Privacy page:

[4] Government Report: Federal Agencies' RFID Plans Flawed

The Government Accountability Office (GAO) released a report last weekthat found thirteen government agencies are using or plan to use RadioFrequency Identification (RFID) tags, but only one agency identified anylegal or privacy issues with the use of the tags. The federal agenciesplan to use RFID in identification cards, and to track employees'
movements and sensitive documents. The report did not address the use byagencies of RFID data that is obtained from third parties.

RFID is used to electronically identify, track, and store information onchips or tags. Tests have shown that RFID tags can be read at a distanceof thirty feet, which presents significant privacy and security risks.
The privacy risks involve the tracking of individuals, profiling ofindividuals based on the collection of data, and the use of data forpurposes other than that which they were collected for. The securityrisks relate to data confidentiality, integrity and availability. Theseprivacy and security risks are inherent in "skimming" and"eavesdropping." Skimming occurs when information from an RFID chip issurreptitiously gathered by an unauthorized individual. Eavesdroppingoccurs when an individual intercepts data as it is read by an authorizedRFID readerThe report identifies ways for government agencies to address theprivacy risks. These include: deactivation of the tags once theirfunction is fulfilled, blocking technology that disrupts transmission,and an opt-in/opt-out framework for the data collected. RFID securityrisks can be decreased with the use of authentication technology, whichprevents unauthorized readers from detecting the tags, and encryptiontechnology, which preserves confidentiality and integrity ofinformation.

This report comes a month after the State Department revised its plansto use passports with unencrypted RFID tags in response to criticismfrom EPIC, other civil liberties groups, privacy and security experts,and the travel industry. The proposal would have made personal datacontained in hi-tech passports vulnerable to unauthorized access.

Government Accountability Office Report on Agency Use of RFID (pdf):

EPIC, EFF et al, Comments on RFID passports (pdf):

EPIC's Spotlight on Surveillance for April 2005 Concerning Agency IDCards With RFID Tags:

EPIC's RFID page:

[5] Conference in Congo Covers Privacy Policies and Internet Governance

EPIC sponsored a two-day conference in Brazzaville, Republic of Congo,on May 16 and 17, about linking research on information andcommunication technologies (ICT's) to development. The Congo-basednon-governmental organization (NGO) Azur Développement organized aworkshop and a symposium to address research on ICT's, privacy policyand Internet governance issues.

The symposium analyzed the current barriers and challenges to theincrease of research on ICT's in universities and high schools, theimpact of research on ICT's on the development of communities, and therole of research on ICT's in the Information Society. EPIC Director ofthe International Privacy Project Cedric Laurant talked about the recentdevelopments in privacy around the world, as well as about securityissues related to the use of e-mail and other Internet-basedtechnologies.

Other speakers discussed the opportunities and challenges of theInformation Society, the ways to integrate research on ICT's incommunity projects, Internet governance, ICT policy in Africa, thechallenges of electronic privacy in Congo, and the World Summit onInformation Society. Students shared reports on the challenges ofe-commerce in Congo; electronic privacy and security; research on ICT'sin Africa and their development in Congo; volunteers' use of ICT's;
freedom of speech on the Internet; and the integration of research onICT's in community projects.

The preparatory workshop, held the day before the symposium, allowed NGOrepresentatives and university students to explore the various ICT'sthat can help them carry out their research and apply for grants whendeveloping public interest community projects. The workshop alsoprovided information on how to disseminate information and network withothers more efficiently using ICT's.

Presentations and Documents from the Conference (currently in Frenchonly, but soon available in English):

Conference site (in French only):

[6] News in Brief

EPIC Voting Project Urges Privacy Safeguards for DatabasesThe National Committee for Voting Integrity has submitted comments tothe Election Assistance Commission on the proposed creation ofcentralized statewide voter registration databases. NCVI said that theregistration systems must assure voter privacy by adhering to fairinformation practices, and allow voters to verify information, correctinaccurate information, and be assured that the information providedwill not be used for non-voting related purposes.

National Committee for Voting Integrity Comments:

EPIC's Voting page:

Court Rules Against Japan ID PlanA Japanese court has ruled that individuals may not be required toprovide personal information for the National Residence Registry Networkor "Juki Net." The court said that Article 13 of the Japaneseconstitution applied to all of the data sought by the government for thedatabase, which includes names, addresses, birth dates and sexes, plus11-digit resident codes. A second court ruled that the first four piecesof personal information, which people can access over the network, "donot need to be highly protected." Similar lawsuits have been filed in 13different courts across Japan, challenging the collection of data forJuki Net.

Privacy and Human Rights 2004 (Japan)

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

System Allows Parents To Spy on Children's LunchesThree school districts in Atlanta, Ga., last week began to allow parentsto monitor their children's meals through an electronic lunch paymentsystem called, created by Horizon Software International.
Each time a student buys an item at the school cafeteria, whetherthrough an account or in cash, they key in their ID number and recordeach purchase for parents to view online. Some parents are monitoringmeals as a way to stem obesity in their children. FAQs:

New York City Plans to Install 400 More Surveillance CamerasThe New York City police department announced this week that it plans toinstall as many as 400 surveillance cameras in high-crime andhigh-traffic areas around the city. The cameras would record digitalvideotape but would not be monitored live by police officers. They wouldbe in addition to 80 surveillance cameras already in New York. Othercities with large camera surveillance systems, often financed withfederal grants, include Chicago, Baltimore and New Orleans. EPIC's MaySpotlight on Surveillance reported that such surveillance systems havelittle effect on crime, and that it is more effective to placeadditional officers on the streets and improve lighting in high-crimeareas.

EPIC's May Spotlight on Surveillance:

EPIC's Observing Surveillance Project:

Iowa Requires Parental Permission Before Obtaining Children's FingerprintsIowa has passed a law requiring police to obtain parents' permissionbefore taking children's fingerprints. The Child Identification andProtection Act prohibits the unauthorized fingerprinting of childrenexcept under certain circumstances, including certain criminalsituations. The act followed reports of police fingerprinting childrenwithout their parents' permission.

Iowa Child Identification and Protection Act:

[7] EPIC Bookstore: Larry Selden & Geoffrey Colvin: Good & Bad Customers

Larry Selden & Geoffrey Colvin, Angel Customers and Demon Customers,
(Portfolio 2003)

A major clothing seller once declared that, "an educated consumer is ourbest customer." If retailers listen to Larry Selden and GeoffreyColvin's advice in "Angel Customers and Demon Customers, " the suckerconsumer will be the new "best" customer. Selden and Colvin argue thatbusinesses should divide their customer bases into "angel" and "demon"
consumers. Angels are not careful with their money; they charge $5,000plane tickets and keep high credit card balances. Demons are those whopay their credit card bills in full, buy products that are discounted,return items, or those who spend sales associates' time asking questionsabout products. In other words, the authors imply that frugal, smartshoppers who do their homework are demonic. Angels should be rewarded,while demons' behavior should be shaped so that it becomes moreprofitable for the business. In extreme cases, demon customers should be"fired." Already, Selden and Colvin's ideas have taken root at majorcompanies, including Best Buy and Fidelity Bank.

As with other books of this genre, "Angel Customers and Demon Customers"
could be less repetitive and emotional, but more importantly, it couldbe more insightful. The authors devote only a single paragraph to theprivacy implications of their proposal. There is no serious discussionof the ethical dimension of price and service discrimination. In lightof the Annenberg Policy Report released this week, where respondentsobjected strongly to both business practices, this book could beimproved by a thoughtful treatment of the bounds of "good' and "evil"
and the implications of categorizing people as such.

While some of the authors' proposals have merit, overall these practicesare dangerous. On one level, the practices would seem to reducecompetition, as focus would be shifted away from developing the bestproduct at the lowest price to one where the focus is identifying theloyal and shaping the thrifty into spendthrifts. Also, these practiceswill favor the rich and unfairly penalize the poor and minorities(according to the Wall Street Journal, Best Buy identified their mostdesirable customers as "upper-income men, suburban mothers,small-business owners, young family men, and technology enthusiasts").
With time, these practices could negatively alter the balance of powerbetween the consumer individual and businesses, encouraging one to ask:
"Should I return that item, or will it mark me as a demon?"

Chris Jay Hoofnagle

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 6-7, 2005. San Francisco, CA. For moreinformation:

Regulation: A Closer Look at Security, Data, and Ethics in Business.
Association for Corporate Travel Executives. June 16, 2005. Washington,DC. For more information:

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 20-21, 2005. New York, NY. For moreinformation:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005. Luxembourg City, Luxenbourg. For more information:

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information:

PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:

Access to Information: Analyzing the State of the Law. RileyInformation Services. September 8, 2005. Ottawa, Ontario. For moreinformation:

5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:

6th Annual Privacy and Security Workshop. Centre for Innovation Law andPolicy (University of Toronto) and the Center for Applied CryptographicResearch (University of Waterloo). November 3-4, 2005. University ofToronto. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: target="new">

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback