WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 13

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.12 [2005] EPICAlert 13


Volume 12.12 June 16, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Documents Spark Congressional Inquiry
[2] REAL ID Next Steps Debated at EPIC's National ID Symposium
[3] US Backs Down on Biometric Passports for European Union
[4] USA PATRIOT Act Reauthorization Debates Heat Up
[5] Senators, FTC At Odds on Solutions to Curbing Identity Theft
[6] News in Brief
[7] EPIC Bookstore: Johnny Long: Google Hacking for Penetration Testers
[8] Upcoming Conferences and Events

[1] EPIC Documents Spark Congressional Inquiry

Congresswoman Carolyn Maloney has asked the Social SecurityAdministration to explain its new policy on disclosing personalinformation to law enforcement officials investigating the terroristattacks of Sept. 11, 2001. Congresswoman Maloney is seeking to determinewhether this policy violates the Privacy Act.

The request follows from a Freedom of Information Act request pursued byEPIC earlier this year. The documents obtained by EPIC reveal that theagency adopted a broad "ad hoc" policy. They show that the SocialSecurity Administration provides law enforcement agencies with personalinformation merely upon a request stating that the data are sought "inconnection" with a 9/11 investigation. The documents also reveal that inthe days after 9/11, the Social Security Administration created a"streamlined process" to "ensure expeditious and consistent processingof the requests" from the Federal Bureau of Investigation and otherfederal law enforcement agencies.

A Social Security Administration "policy instruction" encouraged agencypersonnel to "use their knowledge of [agency] records to be as helpfulas possible" in responding to law enforcement requests. The instructiongives as an example how, given a limited request to verify the match ofa name to a Social Security number, a particular printout can reveal"additional information relevant to the investigation," such asbirthdates and other information in the agency records. Such disclosurescould be in violation of Exemption 7 of the Privacy Act, which limitsdisclosures for law enforcement purposes to the particular portion ofthe record that is requested.

In a letter to the Social Security Administration Commissioner,Representative Maloney has asked what specific changes the agency madein its disclosure policy after 9/11 and whether the agency's changeswere prompted by requests from law enforcement. Representative Maloneyalso requested clarification of how the new policy complies with thePrivacy Act, a federal statute that prohibits disclosure of recordscontaining personal information for law enforcement purposes unless therequester specifies the law enforcement activity for which the record issought.

The broad use of the agency's "ad hoc" disclosure policy represents aswitch from the Social Security Administration's codified policy. Thepolicy followed before 9/11 specified only two situations in which theAdministration could disclose personal information to law enforcement.
First, the agency could disclose information on a person who had beenindicted for or convicted of a violent crime. Second, personalinformation could be disclosed when necessary to investigate orprosecute a crime involving the social security program. A decision todisclose in any other circumstances, such as "when necessary to respondto life threatening situations," could be made only if not prohibited byfederal law.

Much of the information the Administration maintains is highly personal,and participation in social security programs is mandatory.
Amplification of the agency's "ad hoc" policy, allowing disclosure ofsuch private data on persons whom the state is not prosecuting for aviolent crime or social security fraud, gives the agency virtuallyunfettered disclosure authority. Congresswoman Maloney noted in herletter that the agency apparently changed its policy without consultingthe House of Representatives committees that have jurisdiction over thePrivacy Act and the Social Security Administration.

Letter to the Social Security Administration from Congresswoman Maloney(pdf):

Documents Obtained by EPIC Under FOIA (pdf):

EPIC FOIA Note #4: Just Say "9/11" To Obtain Social SecurityInformation:

[2] REAL ID Next Steps Debated at EPIC's National ID Symposium

On June 6, 2005, representatives of many organizations that raisedconcerns about REAL ID and related proposals met in Washington, DC, todiscuss next steps at EPIC's symposium, "National ID at the Crossroads:
The Future of Privacy in America. The event included panels about thetechnology, law, impact of, and international issues associated withidentification.

In May, Congress passed the supplemental military spending bill to whichthe REAL ID Act was attached. REAL ID, a national ID program, mandatesfederal identification standards and requires that state DMVs collectsensitive personal information. Congress passed REAL ID without ahearing even though legislators in both parties urged debate, and morethan 600 organizations opposed the bill. Under the REAL ID Act, stateDMVs will have to verify identification documents and the legal statusof immigrants. States are mandated to link their databases so that allinformation collected by each DMV can be accessed.

Speakers at the symposium included Bruce Schneier, author of "BeyondFear: Thinking Sensibly About Security in an Uncertain World"; BarbaraSimons of the Association for Computing Machinery; Cheye Calvo of theNational Conference of State Legislatures, and Dennis Bailey of theCoalition for a Secure Driver's License. Mr. Bailey was one of the fewsupporters of the REAL ID Act at the symposium. He denied that REAL IDcreates a national ID card, and said that he would accept the costs ofimplementing the legislation if it would mean there would be strongernational security.

Other speakers rejected the idea that the mandates of REAL ID would makethe country more secure. Placing identification verificationresponsibilities upon DMV workers, as opposed to trained Customs andImmigration agents, would make it easier for false identities to becreated and more likely that legitimate citizens and residents would berejected as illegitimate. Mr. Schneier stated that the new licenseswould indeed become national ID cards in practice as licenses are usedfor more than just driving - they're used when people apply for creditcards or bank loans, write a check, get a library card or enter acourthouse. These national ID cards, containing sensitive personalinformation and possibly biometric identification, would be used severaltimes a day for non-driving purposes.

EPIC's June 6, 2005, National ID Symposium page:

EPIC's National ID Cards and REAL ID page:

Text of H.R. 418, the Real ID Act:

[3] US Backs Down on Biometric Passports for European Union

The Department of Homeland Security (DHS) has relaxed its rulesmandating that countries participating in the Visa Waiver Program issuebiometric passports by October 2005. The current law, enacted in 2002,gives Visa Waiver countries until October to issue hi-tech passportscontaining biometric information such as fingerprints or iris scansembedded in machine-readable chips.

The new passport standards require digital photographs to match with aperson's unique physical characteristics by October and an embeddedidentification chip later. The requirements are a drastic step back fromthe initial biometric standards announced in 2002. Only six EU countriesare expected to issue passports that comply with the initial standardsin time to meet the October deadline. The U.K. does not expect to issuebiometric passports until the first quarter of 2006. The initialdeadline of October 2004 was pushed back when no country could meet thenew requirements in time. A separate requirement that passports bemachine-readable will be enforced beginning on June 26.

Each year, an estimated 13 million travelers from 27 Visa WaiverCountries, mostly in Europe, are allowed to visit the U.S. for up to 90days without obtaining a visa. Citizens in countries that do notparticipate in the visa-waiver program, or do not meet the new passportrequirements, must obtain visas before entering the U.S.

This turnaround comes just one month after the State Department'sdecision to revise plans to use passports with unencrypted RFID tags.
The switch was in response to criticism from EPIC, other civil libertiesgroups, privacy and security experts, and the travel industry. Theproposal would have made personal data contained in hi-tech passportsvulnerable to unauthorized access.

EPIC, EFF et. al, Comments on RFID passports (pdf):

EPIC's RFID page:

[4] USA PATRIOT Act Reauthorization Debates Heat Up

In a surprise move, the House of Representatives voted 238-187 onWednesday to block the Justice Department and the FBI from using the USAPATRIOT Act to seek library records and bookstore sales slips of terrorsuspects. Lawmakers were concerned about the potential invasion ofprivacy of innocent library users. The vote passed even after a vetothreat from President Bush.

Also this week, the House Committee on the Judiciary held its eleventhoversight hearing on the USA PATRIOT Act on June 8, with Deputy AttorneyGeneral James Comey testifying. The questions centered on provisionsconcerning wiretapping, authority to search homes without priornotification, interception of computer trespasser communications,Internet service providers, and mandatory detention of non-citizensuspected terrorists.

Several Members expressed concern about the erosion of civil libertiescaused by certain USA PATRIOT Act provisions. Representatives from bothparties noted that one option is to extend the law's "sunset" provision,which will nullify certain provisions of the law on December 31, 2005,unless Congress reauthorizes them, rather than permanently enact thesunsetting provisions into law. Another option proposed is to apply asunset provision to the entire Act, not just the specified sections nowunder review, so that Congress will scrutinize the law again at a laterdate.

The June 8 hearing continued on June 10. The witnesses included CarlinaTapia-Ruano, First Vice President of the American Immigration LawyersAssociation; Dr. James J. Zogby, President of the Arab AmericanInstitute; Deborah Pearlstein, Director of the U.S. Law and SecurityProgram; and Chip Pitts, Chair of the Board of Amnesty InternationalUSA. The witnesses emphasized that the USA PATRIOT Act should bedesigned to provide security while protecting individual rights. Theycalled for greater oversight and accountability and less secrecy.

Committee Chairman James Sensenbrenner began the hearing by stating thatthe testimony of the witnesses was "far outside the scope" of thehearing, noting that he believed the testimony did not bear on thesixteen provisions of the USA PATRIOT Act under review. Mr.
Sensenbrenner followed the House rules closely, holding Members andwitnesses to the five-minute time limit. The Chairman abruptly closedthe hearing and walked out while witnesses continued to testify andamidst protests from committee members.

Webcast of June 8, 2005, House Judiciary Committee Oversight Hearing onReauthorization of the USA PATRIOT Act:

Webcast of June 10, 2005, House Judiciary Committee Oversight Hearing onReauthorization of the USA PATRIOT Act (continued from June 8):

EPIC's USA PATRIOT Act Sunset page:

[5] Senators, FTC At Odds on Solutions to Curbing Identity Theft

The Senate Commerce Committee held a hearing today concerning theproblem of identity theft. All of the senators expressed their beliefthat action had to be taken to curtail the growing number ofdata-security breaches. Two common themes emerged from the hearing: theneed to create minimum security standards for a company's collection ofpersonal data and to notify individuals of the exposure of theirpersonal information.

Sen. Chuck Schumer proposed regulations for data brokers that wouldrequire the implementation of both minimum security standards for dataand would also allow for FTC authentication of any possible informationbuyers. Noting the recent CitiFinancial loss of data tapes, he proposedthat any data transported in a physical manner should utilize encryptionin order to minimize exposure. Sen. Dianne Feinstein said it wasnecessary for civil penalties to accompany any federal notificationstatute in order to ensure compliance.

William Sorrell, the Vermont Attorney General and President of theNational Association of Attorneys General, stated that any action takenby the federal government regarding notification of consumers shouldserve as a floor and that it not preempt more protective state laws. Mr.
Sorrell also testified that federal statutes should not preempt anystate efforts to develop "credit freeze" laws. (Credit reports that are"frozen" or sealed can be made available only when the individual"thaws" her file, and specifies to whom, when, or in what contexts thefile can be released.)

Members of the Federal Trade Commission testified and called on Congressto enact tougher legislation on data brokers and businesses entrustedwith sensitive consumer data. FTC commissioners consistently rejected anumber of senators' suggestions, such as a national registry of databrokers, the creation of an Office of Identity Theft, and an end to theuse of consumers' Social Security numbers by businesses. CommissionerThomas Leary stated that it was impractical to halt the longtime use ofthe SNN by businesses. FTC commissioners suggested stronger laws tolimit the legitimate use of the SSN as an identifier.

Since 2001, EPIC has investigated commercial data aggregators such asChoicepoint, which collect personal information on individuals and sellthe data to third parties. In May, EPIC Executive Director MarcRotenberg testified about identity theft and commercial data brokersbefore the same Senate committee. EPIC recommended passage of both theNotification of Risk to Personal Data Act, S. 751, and the ComprehensiveIdentity Theft Prevention Act, S. 768. EPIC also recommended theapplication of the federal Privacy Act to any information broker thatsells personal information to federal agencies.

Senate Commerce Committee Hearing on June 16, 2005:

EPIC's Testimony Before the Senate Committee on May 10, 2005 (pdf):

EPIC's Choicepoint page:

[6] News in Brief

FOIA Note #6: Election Agency Proposes Secret Voting StandardsDocuments obtained by EPIC under the Freedom of Information Act revealthe complete draft standards for voting technology. The standards, whichwere developed by a technical committee for the Election AssistanceCommission, could determine how votes will be tabulated in futureelections. Other documents obtained by EPIC reveal vendor attempts toinfluence the development of the standards.

EPIC FOIA Note #6:

Documents Obtained by EPIC Under FOIA:

EPIC Joins Civil Liberties Brief in Newsletter Subscriber Privacy CaseEPIC joined eight civil liberties organizations to submit a "friend ofthe court" brief in Forensic Advisors, Inc. v. Matrixx Initiatives,Inc., which is currently before the Maryland Court of Special Appeals.
In this case, Matrixx, a pharmaceutical company, is attempting to forceTimothy Mulligan, a newsletter publisher, to disclose his subscriberlist so that Matrixx can use it in connection with a lawsuit it filedagainst numerous unidentified people who posted derogatory commentsabout Matrixx on Internet discussion boards. The brief argues in favorof protecting the subscriber list under a Maryland law that protectsjournalists' sources. It also argues that the subscriber list isprotected under the First Amendment, since disclosure of the list woulddeter readership and violate constitutionally established privacyrights. The brief proposes a five-factor test for determining when asubscriber list should be disclosed, essentially requiring the partydemanding the list to prove that the list is essential to vindicate itslegal rights, that those rights outweigh the privacy rights of thepeople on the list, and that it is in the public interest for the listto be disclosed.

Amicus Brief Submitted by EPIC, et. al (pdf):

Report Criticizes State of Open Government Under AshcroftWatching Justice recently released a report concerning open governmentunder former Attorney General John Ashcroft. The report criticizes theJustice Department's relationship with the media and finds that Mr.
Ashcroft's narrow interpretation of the federal FOIA made it harder toget information from the government. The report states that the currentadministration views open government "as a nuisance at best." Reportersand advocates are urged to give more attention to government initiativesand to make more FOIA requests in general.

"Open Government in the Ashcroft Era: What Went Wrong, and How to Makeit Right":

Survey: Congress Not Meeting Challenge of Data ProtectionA recent survey shows that many D.C. opinion leaders believe Congresshas failed to keep consumer data safe. The survey by iQ Research andConsulting polled more than 400 "senior level professionals" with media,government, public policy or technology jobs in the D.C. area. Greaterthan 80% of the those surveyed felt that Congress had not done enough toprotect Social Security numbers; almost 70% felt that congressionalattempts to protect consumer credit reports from unauthorized accesswere largely unsuccessful.

Joint Adobe and RSA Security Press Release About Survey:

EPIC's Choicepoint page:

Justice Dept. Inspector General Criticizes Terror Screening CenterThe Department of Justice Inspector General released an audit reportthis week concluding that the United States' new centralized terrordatabase is missing names that should be in it and contains inaccurateinformation about other people. The Terrorist Screening Center'sdatabase consolidated about a dozen government watch lists, which can beaccessed by intelligence officials and local, state, and federal lawenforcement agents. "While the TSC had successfully created and deployeda consolidated watch list database, the TSC has not ensured that theinformation in that database is complete and accurate," the reportdetermined. Furthermore, the report found that some information aboutpublicly known terrorists was missing, and the system has mistakenlyidentified people as being in the database. In response to the report,the Terrorist Screening Center released a response stating, among otherthings, that it will not establish an Office of the Ombudsman to takeresponsibility for redress issues arising from use of the information inthe database.

Justice Department Inspector General's report:

European Parliament and NGOs Oppose Data Retention SchemeThe Council of the European Union will continue with a proposal for anEU-wide regime of data retention, despite its rejection by the EuropeanParliament. The proposal, introduced jointly by France, the UK, Irelandand Sweden in April 2004, is intended to ease judicial cooperation incriminal matters relating to the retention of data processed and storedby ISPs and telcos. But the proposal was rejected by the EuropeanParliament after members considered a report that highlights problemswith the proposal's scope and legal basis. Last week, a group ofEuropean NGOs, including EDRI, Privacy International and Statewatch.
wrote to Parliament members urging a rejection of the proposal. Theletter stated that data retention is an invasive tool that interfereswith the private lives of everyone in Europe, and retaining personaldata on everyone is an illegal practice in violation of Article 8 of theEuropean Convention on Human Rights because it is disproportionate,security gained from retention may be illusory, and the means throughwhich this policy is being pursued is illegitimate.

Letter from European NGOs to European Parliament:

EPIC's Data Retention page:

Senate Judiciary Committee Approves Measure To Tweak FOIAThe Senate Judiciary Committee has approved a measure that states anyfuture legislation establishing exemptions to the Freedom of InformationAct be stated clearly within the text of the bill. The measure,sponsored by Sen. John Cornyn, and Sen. Patrick Leahy is a companionbill to broader legislation to overhaul FOIA. The broader bill has notyet been considered by the committee. The bill would make major changesto FOIA for the first time in more than a decade by calling for speedierresponses for requests and for providing incentives for federal agenciesto answer them.

Information about S. 1181:

[7] EPIC Bookstore: Johnny Long: Google Hacking for Penetration Testers

Johnny Long, Google Hacking for Penetration Testers (Syngress 2005)

Johnny Long's "Google Hacking for the Penetration Testers" is anexcellent resource on the Google Internet search engine. Anyone whouses Google should read the first two chapters of this book, as itexplains the basic and more advanced search techniques available. Afterchapter two, things get interesting. Long explains how to use Google toaccess information anonymously, and then dives into discovering sitevulnerabilities and personal information on the Internet. It concludeswith common-sense approaches to securing your own servers against thesearch techniques explained earlier in the book.

Chris Jay Hoofnagle

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 20-21, 2005. New York, NY. For moreinformation:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005. Luxembourg City, Luxenbourg. For more information:

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information:

PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:

Access to Information: Analyzing the State of the Law. RileyInformation Services. September 8, 2005. Ottawa, Ontario. For moreinformation:

5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:

Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of"Privacy and Human Rights." October 20-21, 2005, Auditorio AlbertoLleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo deEstudios en Internet, Comercio Electrónico, Telecomunicaciones eInformática (GECTI), Law School of the Universidad de los Andes, Bogota,Colombia, Computer Professional for Social Responsibility-Peru(CPSR-Perú). For more information:

6th Annual Privacy and Security Workshop. Centre for Innovation Law andPolicy (University of Toronto) and the Center for Applied CryptographicResearch (University of Waterloo). November 3-4, 2005. University ofToronto. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: target="new">

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback