WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 16

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.15 [2005] EPICAlert 16


Volume 12.15 July 28, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Court Rejects Agencies' "Sensitive Security" Claim in EPIC FOIA Case
[2] EPIC Testifies on Draft House Data Security Bill
[3] Local, State, National Organizations Battle REAL ID Implementation
[4] Accountability Office Finds Security Agency Broke Privacy Law
[5] After U.K. Attacks, Pressure Rises for More Surveillance in U.S.

[6] News in Brief
[7] EPIC Bookstore: Nat Hentoff's "War on the Bill of Rights"

[8] Upcoming Conferences and Events

[1] Court Rejects Agencies' "Sensitive Security" Claim in EPIC FOIA Case

In a Freedom of Information Act case brought by EPIC against threefederal agencies, a federal court has held that the TransportationSecurity Agency and Department of Homeland Security may not withhold adocument sought by the public simply by saying it contains "sensitivesecurity information." Though federal agencies "are not required todescribe the withheld portions in so much detail that it reveals thesensitive security information itself," the court said they are requiredto "provide a more adequate description" to explain why material is notmade public.

The determination came in a Freedom of Information Act suit EPIC filedlast year to force DHS, TSA and the FBI to release documents detailingthe agencies' efforts to obtain passenger information from commercialairlines. The suit challenged the adequacy of the FBI's search fordocuments in response to EPIC's FOIA request. EPIC also argued that DHSand TSA improperly withheld requested records on grounds of protectingsensitive security information, personal privacy, and the agencies'
internal deliberative processes.

The District Court for the District of Columbia determined that the FBIhad conducted an adequate search for documents, and that DHS and TSAproperly did not release some information under the FOIA. However, thecourt found that the agencies did not provide enough justification fornumerous withholdings.

In addition to its finding on "sensitive security information," thecourt determined that DHS and TSA did not sufficiently explain thewithholding of more than twenty documents as "deliberative." The courtalso determined that while agency employees have a privacy interest intheir identities, the agencies did not provide enough information forthe court to decide whether business and agency identifiers and domainnames were properly redacted to protect personal privacy. The court hasordered DHS and TSA to provide more detailed justification for thesewithholdings.

The opinion:

For more information about the case:

[2] EPIC Testifies on Draft House Data Security Bill

In testimony today before the House Commerce Subcommittee on ConsumerProtection, EPIC West Coast Director Chris Hoofnagle urged Congress topass strong data security legislation that includes privacy protectionsfor use of personal information. The hearing concerned bipartisan draftlegislation sparked by a series of major data security breaches.

The legislation would direct the Federal Trade Commission to developsecurity standards applicable to all companies that possess SocialSecurity numbers, driver's license numbers, or financial accountnumbers. Holders of these categories of personal information would haveto give notice to their customers whenever a security breach occurredthat created a "reasonable basis to conclude" that the breach "mayresult in identity theft." Additionally, companies would have to createa security policy, identify an employee responsible for informationsecurity, and employ preventative and corrective measures to addresssecurity vulnerabilities.

Heightened responsibilities would be placed upon information brokers,such as Lexis-Nexis and Acxiom. Such companies would have to provideindividuals with their personal information dossier at no cost, and beaudited regularly by the FTC. The legislation would broadly preemptstronger state law and limit enforcement of violations to the FTC.

EPIC's testimony focused on including privacy protections to complementthe data security requirements. EPIC argued that the legislation shouldinclude the option for a "credit freeze," which enables individuals toblock almost all dissemination of their credit reports. EPIC alsorecommended that companies be required to use audit logs to deterinsiders from accessing and disclosing personal information withoutauthorization.

Data Security: The Discussion Draft of Data Protection Legislationhearing:

EPIC Testimony:

EPIC's Choicepoint page:

[3] Local, State, National Organizations Battle REAL ID Implementation

More than seventy individuals from local, state and nationalorganizations gathered in Washington, D.C. on Wednesday for the NationalDriver's License Strategy Meeting convened by the American CivilLiberties Union, Electronic Privacy Information Center, National AsianPacific American Legal Consortium, National Immigration Law Center, andNational Council of La Raza. The privacy, civil liberties, and immigrantrights' groups discussed strategies to fight the implementation of theREAL ID Act, a national ID program passed in May, which mandates federalidentification standards and requires that state DMVs collect sensitivepersonal information.

Panels at the meeting discussed the national ID system's privacy andsecurity risks; local, state and national strategies to oppose theimplementation of the national ID system; and possible impacts upondifferent communities, including immigrant, minority, religious andgay/lesbian/bisexual/transgendered, Groups represented included theElectronic Frontier Foundation, National Governors Association, Centerfor New Community and National Employment Law Project.

Under the REAL ID Act, state DMVs will have to verify identificationdocuments and the legal status of immigrants. States are mandated tolink their databases so that all information collected about individualsby each DMV can be accessed. The panels highlighted the grave privacyand security risks inherent in the creation of a tempting target forcriminals at a time of rampant data security breaches and attacks uponDMVs by identity thieves.

Rep. James Sensenbrenner, the act's sponsor, has estimated that enactingREAL ID would cost $100 million. However, Pennsylvania has estimatedthat it would cost more than $100 million for the state alone toimplement the national ID program. Congress has not yet stated where themoney to create the national ID system would come from. Panelist NolanJones, from the National Governors Association, estimated that REAL IDwould cost $750 million over the next five years, and said that if thecost were passed onto the public, then licenses would cost about $100 to$125 each.

National Driver's License Strategy Meeting:

EPIC's National ID Cards and REAL ID Act page:

EPIC National ID Conference

Text of H.R. 418, the Real ID Act:

[4] Accountability Office Finds Security Agency Broke Privacy Law

In a letter to Congress, the Government Accountability Office concludedthat the Transportation Security Administration violated the Privacy Actwhen it obtained personal information about airline passengers fromcommercial data brokers during the test phase of the Secure Flightpassenger prescreening program. According to the letter, "the agencydid not provide appropriate disclosure about its collection, use andstorage of personal information as required by the Privacy Act," and"the public did not receive the full protections" of the law.

Violations of the Privacy Act of 1974, a federal law requiringgovernment agencies to meet certain obligations when creating andmaintaining systems of records, are civilly and criminally punishable.
The Department of Homeland Security Privacy Office is also investigatingwhether the agency violated the Privacy Act during the test phase ofSecure Flight.

In fall 2004, TSA published a privacy impact assessment and threenotices describing the Secure Flight program, and also ordered 72commercial airlines to turn over passenger records from June 2004 totest Secure Flight. The agency assured the public repeatedly it wouldnot have access to or store data from commercial data aggregators duringthe test phase.

However, according to a notice and privacy impact assessment publishedin the Federal Register on June 22, TSA obtained passenger name recordsenhanced with commercial data during the testing of Secure Flight. Thecommercial data, which was obtained by contractor EagleForce Associatesfrom commercial data brokers, included such information as name, homeaddress, phone number, date of birth, and gender. EagleForce thenprovided the enhanced passenger records to TSA on CD-ROMs for use inwatch list match testing. TSA continues to store this data. In a seriesof comments to the Department of Homeland Security, EPIC has repeatedlyurged that the agency follow Privacy Act requirements when it gatherspersonal information on travelers.

In a letter to Homeland Security Secretary Michael Chertoff in responseto the GAO's findings, Senators Susan Collins and Joe Lieberman statedthat "careless missteps such as this jeopardize the public trust andDHS' ability to deploy" Secure Flight.

The GAO letter to Congress:

TSA Nov. 15, 2004 Notice of Final Order:

TSA June 22, 2005 System of Records Notice:

Letter from Sens. Lieberman and Collins to Secretary Chertoff:

EPIC's Secure Flight Page:

[5] After U.K. Attacks, Pressure Rises for More Surveillance in U.S.

A news series of bombings in London have increased pressure in the U.S.
for more surveillance programs. There have been calls to significantlyexpand video surveillance systems and police have begun randomlysearching subway, bus, ferry and railway riders in New York City and itsNew Jersey suburbs. Washington, D.C., is considering random searches ofits mass transit riders, and is observing New York's tactics.

New York Sen. Hillary Clinton called for subway officials to installmore cameras, even though New York officials said about 5,000 camerasare already in use throughout the city's travel system. Department ofHomeland Security officials recently announced they would spend almost$10 million to install hundreds of surveillance cameras and sensors on arail line near the Capitol.

London has 200,000 cameras, and more than 4 million cameras have beendeployed throughout the country. The average Briton is seen by 300cameras per day, according to estimates. Despite the extensivesurveillance system, the recent bombings were not prevented. A recentEPIC Spotlight on Surveillance highlighted the ineffectiveness of suchcamera surveillance systems, and found the systems' minimal securitybenefit is not worth the significant risks to privacy. Studies havefound that such camera networks have little effect on crime, and that itis more effective to place more officers on the streets and improvelighting in high-crime areas.

In 2002, EPIC launched the Observing Surveillance project. The projectincludes a map of camera locations in areas of downtown Washington,D.C., which indicates both the locations of surveillance camerasinstalled by the D.C. Metropolitan Police Department and the projectedsurveillance radius of those cameras.

New York City and New Jersey police have begun conducting randomsearches of packages and backpacks carried by more than 5 million dailymass transit passengers. These searches have prompted questions aboutracial and ethnical profiling, and about the legality of the searches,conducted on people who are not suspected of any criminal wrongdoing.

EPIC May Spotlight on Surveillance About Camera Systems:

Observing Surveillance Web Site:

[6] News in Brief

EDRI Launches Petition Against Data RetentionEuropean Digital Rights and Dutch ISPs XS4ALL and Bit have launched aninternational petition against mandatory data retention. EDRI arguesthat retention of telecommunication traffic data is an invasive toolthat interferes with privacy rights and data retention is illegal underArticle 8 of the European Convention on Human Rights. EDRI also arguesthat security gained from retention may be illusory, as traffic data mayeasily point to another user, and the means through which this policy isbeing pursued are illegitimate.

EDRI and ISP petition against data retention (in English and French):

EPIC's International Data Retention page:

New EPIC Page Describes 'Flash Cookies'

Internet cookies used to be a treat for marketers looking for ways tomeasure advertising response, but that has changed. A recent study byinternational research advisory organization JupiterResearch has foundthat nearly 60 percent of American Internet users have deleted cookiesfrom their computers in order to avoid being tracked online. One companyhas proposed to track users through a feature in Macromedia Flashsoftware. "Flash cookies" make it possible for Web sites to track users,even if they delete their normal cookies. EPIC's new Flash Cookies pagedescribes what they are, and how to prevent being tracked by them.

EPIC's Flash Cookies page:

JupiterResearch press release about its study:

Justice Department Launches Online National Sex Offender DatabaseThe Department of Justice has posted a nationwide sex offender Web site,which provides public access to sex offender information from 21 statesand the District of Columbia searchable by name, ZIP code, county, city,state, or nationwide. According to the site, the database will provide"one-stop access" to registries from all 50 states by the end of theyear. Each state posts different information about sex offenders, butprofiles can include detailed personal data such as the individual'sname, date of birth, residential address, work address, age, weight,height, hair color, eye color, race, gender, identifying marks, one ormore photographs, offense, conviction information, known aliases, andage of victim. In an amicus brief to the Supreme Court, EPIC argued in2002 that "Megan's law statutes which permit registry dissemination onthe Internet are excessively invasive of the privacy of releasedoffenders."

Department of Justice National Sex Offender Public Registry:

EPIC Amicus Brief, Smith v. Doe (US 2003) (pdf):

Smith v. Doe (US 2003)

EPIC Publishes Memo on Recruiting Database, Privacy Act ViolationsEPIC has released a memorandum describing the Department of Defenserecruiting database. The memorandum discusses the sources of the dataand the Privacy Act violations in the creation of the database. Ofparticular concern is the use of commercial data brokers and SocialSecurity numbers. Pending resolution of these issues, EPIC urges thedepartment to immediately suspend the use of the database.

EPIC memorandum (pdf):

EPIC's DOD Recruiting Database page:

Deadline Approaches to Comment on Telemarketing LawsAccording to DMNews, a publication focusing on direct marketing, 8,100people have filed comments with the Federal Communications Commission inopposition to petitions filed by telemarketers that would weakenprotections against telemarketing. The petitions seek to preempt, orsupercede state laws that are stronger than federal law. These statelaws prohibit telemarketers from making "pre-recorded voice" calls, orfrom exploiting a "business relationship" loophole that allows calls tothose on the Do-Not-Call Registry. EPIC is urging consumers to commentin support of state anti-telemarketing laws until the deadline forpublic participation, Friday July 29, 2005.

EPIC's Telemarketing Preemption page:

FCC Comment Filing System page:

Two Canadian Law Firms Rebuked for Privacy BreachesThe Office of the Information and Privacy Commissioner of Alberta,Canada, recently rebuked two Canadian law firms for publishing personalemployee information on a public Web site. Stikeman Elliott LLP ofToronto and Montreal and Shtabsky & Tussman LLP of Edmonton violatedAlberta's Personal Information Protection Act by disclosing homeaddresses and social insurance numbers in connection with a corporatebuyout. The office recommended that both law firms conduct comprehensiveprivacy training and education programs with its lawyers and staff.

Alberta Privacy Commissioner report (pdf):

EPIC Opposes Council of Europe Convention on CybercrimeIn a statement to the Committee on Foreign Relations, EPIC has urged theUnited States Senate to oppose ratification of the Council of EuropeConvention on Cybercrime. EPIC cited the sweeping expansion of lawenforcement authority, the lack of legal safeguards, and the impact onUS Constitutional rights.

EPIC statement (pdf):

EPIC's Cybercrime Convention page:

Build-A-Bear Workshops Build a Marketing Database on KidsBuild-A-Bear Workshops are where kids construct and customize their ownteddy bears, and even create a birth certificate for them. The companyalso gathers personal information on its young customers. When kidsaccess computers to make bear birth certificates, they are asked tosubmit their name, birth date, gender, home address and an e-mailaddress. Children are required to opt-out of receiving unsolicitedoffers by unchecking boxes authorizing Build-A- Bear to contact kidswith special offers and promotions.

EPIC's Privacy and Consumer Profiling page:

[7] EPIC Bookstore: Nat Hentoff's "War on the Bill of Rights"

Nat Hentoff, War on the Bill of Rights And the Gathering Resistance(Seven Stories Press, 2003)

"The Constitution, said Supreme Court Justice Antonin Scalia ominouslyin March, 2003, just sets minimums. Most of the rights that you enjoy goway beyond what the Constitution requires. In The War on the Bill ofRights-and the Gathering Resistance, nationally syndicated columnist andVillage Voice mainstay Nat Hentoff draws on untapped sources-fromreporters, resisters, and civil liberties law professors across thecountry to administration insiders-to piece together the true dimensionsof the current assault on the Constitution and the Bill of Rights. Thefirst draft of the USA PATRIOT Act to go to Congress included thesuspension of habeas corpus. The proposed sequel (PATRIOT Act II) wouldmake it possible to revoke U.S. citizenship, and, for the first time inhistory, authorize secret arrests. Both Patriot Acts increase electronicsurveillance of Americans, with minimal judicial supervision. Hentoffrefocuses attention on domestic surveillance initiatives established byunilateral executive actions, such as Operation TIPS and the TotalInformation Awareness System, both still quietly functioning. Hentoffchronicles the inevitable rise of citizen's groups against these grossinfringements, comparing today's Bill of Rights Defense Committees toSamuel Adams's Sons of Liberty, whose campaign against the Britishhelped to precipitate the American Revolution. Afforded little coveragein the major media, the Bill of Rights Defense Committees now havespread to nearly one hundred cities and towns nationwide. Hentoff quotesLance Morrow, who wrote, If Americans win a war (not just against SaddamHussein but the longer-term struggle) and lose the Constitution, theywill have losteverything."

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Access to Information: Analyzing the State of the Law. RileyInformation Services. September 8, 2005. Ottawa, Ontario. For moreinformation:

5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:

Conference On Passenger Facilitation & Immigration: Newest trends inachieving a seamless experience in air travel International AirTransport Association (IATA) and Singapore Aviation Academy (SAA)
October 3-5, 2005 Singapore Aviation Academy. For more information:

Access & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry ofGovernment Service's Access & Privacy Office. October 6- 7, 2005.
Toronto, Ontario. For more information:

Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of"Privacy and Human Rights." October 20-21, 2005, Auditorio AlbertoLleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo deEstudios en Internet, Comercio Electrónico, Telecomunicaciones eInformática (GECTI), Law School of the Universidad de los Andes, Bogota,Colombia, Computer Professional for Social Responsibility-Peru(CPSR-Perú). For more information:

6th Annual Privacy and Security Workshop. Centre for Innovation Law andPolicy (University of Toronto) and the Center for Applied CryptographicResearch (University of Waterloo). November 3-4, 2005. University ofToronto. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: target="_blank">

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback