WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 20

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.19 [2005] EPICAlert 20


Volume 12.19 September 22, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Transportation Agency Drops Commercial Data From Prescreening Plan
[2] Privacy Commissioners: Set Privacy & Data Protection as Human Rights
[3] EPIC Advises Canadian Government on Identity Theft Prevention
[4] Roberts's Confirmation Hearings Highlight Privacy Concerns
[5] Election Report Recommends Voter ID, Paper Trails
[6] News in Brief
[7] EPIC Bookstore: Stephen G. Breyer's "Active Liberty"

[8] Upcoming Conferences and Events

[1] Transportation Agency Drops Commercial Data From Prescreening Plan

The Transportation Security Administration (TSA) has abandoned plans touse commercial data to check the identities of airline passengers in thegovernment's proposed passenger prescreening system, Secure Flight. TSAannounced the decision shortly before a government-appointed workinggroup is expected to issue a critical report on the program's privacyimplications.

As envisioned, Secure Flight would compare Passenger Name Recordsagainst information compiled by the Terrorist Screening Center, whichincludes expanded "selectee" and "no fly" lists. Further, the programwould seek to identify suspicious travel behavior in passengers'

As originally planned, TSA would have also used commercial databases toverify the accuracy of information provided by travelers. The contractorconducting the test was EagleForce Associates, Inc., which obtainedcommercial data from data aggregators Acxiom, InsightAmerica and Qwest.
According to documents obtained by EPIC under the Freedom of InformationAct last year, Acxiom pushed to water down key federal privacy lawsimmediately after the September 11, 2001 terrorist attacks. According tothe documents, Acxiom sought broader access to "credit headers" anddrivers information in order to develop a system for "identity andinformation verification that can be used by organizations such asairlines, airports, cruise ships, and large buildings and otherapplications to better determine whether a person is actually who theysay they are."

The agency began testing the system earlier this year. In June, however,TSA admitted that it had collected and maintained detailed commercialdata about thousands of travelers in violation of a notice publishedlast fall stating it wouldn't do so. The disclosure came just days afterthe Department of Homeland Security Privacy Office announced that it wasinvestigating whether TSA violated a federal privacy law during theprogram's testing.

In related news, the Justice Department Inspector General recentlyconcluded that TSA's missteps have made it difficult for the governmentoffice responsible for the terrorist watch list to prepare for thelaunch of Secure Flight. The Terrorist Screening Center maintains thegovernment's consolidated watch list, which is planned to be a vitalpart of the prescreening program. According to the Inspector General'sreport, Terrorist Screening Center officials "believe that their abilityto prepare for the implementation of Secure Flight has been hampered bythe TSA's failure to make, communicate, and comply with key program andpolicy decisions in a timely manner." The Inspector General citedseveral issues as potentially problematic, including costs, redress, anddata accuracy.

Transportation Security Administration's Page on Secure Flight:

EPIC documents on Acxiom's lobbying and proposed amendments (pdf):

EPIC's Secure Flight Page:

Justice Department Inspector General's Report (pdf):

[2] Privacy Commissioners: Set Privacy & Data Protection as Human Rights

Privacy commissioners from around the world called on governments andinternational organizations to establish data protection and privacy asfundamental human rights. At a privacy conference in Montreux,Switzerland, they also called for effective safeguards to limit the useof biometric passports and identity cards so that centralized databasewill not be established. They also urged greater cooperation with NGOs.

A day before the large privacy conference started, EPIC and otherEuropean and American civil liberties groups sponsored a conferenceentitled "Strategies for International Privacy Protection -- Issues,Actors, and Future Cooperation." Its principal aim was to debate one ofthe two most sensitive privacy issues governments are grappling with andto reinforce cooperation between non-governmental organizations and dataprotection authorities. Privacy officials, NGOs, and representativesfrom the industry all participated to the discussion.

In the first panel on data retention, a speaker pointed to the manysecurity risks and high costs for the industry -- Internet ServiceProviders and telecommunications providers -- and police and securityagencies that a regime of retention of traffic and location data wouldintroduce. A high risk also exists for police agencies themselves, sincetheir traffic and location data would be stored in one place, and createa tempting target for criminals. In the second panel on biometrics, theSwiss Privacy Commissioner Hanspeter Thur described the pilot biometricpassports project Switzerland had launched that was ended because of thehigh privacy risks that are inherent in the central database of thebiometric passports program. Speakers also discussed the lack oftransparency and the absence of public debate that supra-nationalorganizations and governments around the world showed when theyintroduced proposals for biometric passports.

In a resolution, a group of privacy commissioners called for effectivesafeguards to limit the risks inherent to biometrics. They sought torestrict the use of biometrics in passports and identity cards toverification purposes -- the biometric data in the document would becompared with the data provided by the holder when presenting thedocument -- thereby prohibiting any centralization of data. The privacycommissioners suggested that governments make a "strict distinctionbetween biometric data collected and stored for public purposes," suchas border patrol, "on the basis of legal obligations, and forcontractual purposes on the basis of consent."

Declaration of Montreux (pdf):
Resolution on Biometrics (pdf):

Privacy Conference 2005:

"Strategies for International Privacy Protection - Issues, Actors, andFuture Cooperation":

[3] EPIC Advises Canadian Government on Identity Theft Prevention

EPIC urged the Canadian government to assume an aggressive postureagainst identity theft by taking a number of measures to giveindividuals greater control over personal information. In comments tothe Consumer Measures Committee, EPIC explained the need for consumersto be able to freeze their credit files and for retailers to morecarefully screen credit applications for signs of fraud.

EPIC's comments explained that United States law does little to preventidentity theft. Most U.S. law focuses on remedial measures, such asfraud alerts, and heightened penalties. These remedial measures andpenalties have done little to deter the crime, especially becauseimpostors are rarely investigated or caught by police. U.S. law alsodoes little to check high-risk business practices, such as the sendingof prescreened credit card offers, and lax instant credit grantingpolicies, which make it easy for even unsophisticated individuals tocommit identity theft.

In light of the failure of the remedial approach to address identitytheft, EPIC urged the Canadians to focus on preventive measures. Chiefamong these are credit freeze, the ability of individuals to lock downtheir credit report to prevent identity theft. Also suggested werestricter controls on prescreened credit card offers, and making creditgrantors liable when they negligently issue new accounts to impostors.

EPIC also criticized predominant electronic payment systems. Creditcards offer little privacy, and involve using the same number over andover to charge the account. This number is revealed to many differentpeople, and the credit card industry has refused to add basicauthentication measures, such as a password, to prevent unauthorizedcharges. EPIC argued that the adoption of anonymous payment measureswould heighten privacy, and if properly implemented, reduce fraudlevels.

The Consumer Measures Committee is a forum of federal, provincial, andterritorial government representatives. The body will review commentsand issue proposed regulations in legislative language for another roundof public comment.

EPIC Comments to the Consumer Measures Committee:

Canada, Consumer Measures Committee - Identity Theft

[4] Roberts's Confirmation Hearings Highlight Privacy Concerns

Senators on the Judiciary Committee today voted 13-5 to send thenomination of Judge John G. Roberts Jr. for Chief Justice of the UnitedStates to the full Senate with a recommendation for confirmation. Theright to privacy became a major focus in Judge Robert's confirmationhearings, in part because the constitutional right to privacy is a majorunderpinning of the Supreme Court's 1973 decision in the abortion rightscase Roe v. Wade. However, privacy rights were raised in a variety ofother contexts as well: Judge Roberts was asked whether rights to"liberty" in the Fourteenth Amendment include rights to privacy; aboutthe secrecy-shrouded Foreign Intelligence Surveillance Act (FISA) court;
and whether privacy extends to personal decisions regarding theeducation of children, end-of-life scenarios, and sexual orientation.
Other questions focused on the preservation of civil liberties after theSept. 11, 2001, terrorist attacks and the need for governmentaccountability.

When Sen. Arlen Specter asked if Judge Roberts he believed that therewas a Constitutional right to privacy, he replied: "Senator, I do." Hesaid that privacy was "the right to be left alone," and that this was"one of our basic rights." Judge Roberts also said that he believedthere was a privacy right contained within the Fourteenth Amendment, inits guarantee of liberty, and that this extended to the rights of women.
Although Roberts said that he felt that the right to privacy included aright to contraception, he declined to answer whether he felt thatprivacy rights included a right to an abortion or a right to die,stating only that he would give weight to previous decisions by theSupreme Court in these areas. Judge Roberts also refused to statewhether or not he agreed with Justice Clarence Thomas's opinion,espoused in his dissent in Lawrence v. Texas, that there is no "generalright of privacy" in the Constitution. The 2003 case struck downanti-sodomy laws in Texas as unconstitutional.

In response to concerns expressed by Sen. Russ Feingold about thepossible erosion of civil liberties in the wake of the Sept. 11 attacks,Judge Roberts said that the Bill of Rights does not change in times ofwar, but "things that might have been acceptable in times of war are notacceptable in times of peace." The PATRIOT Act, passed in responseto the 2001 attacks, expanded the powers of the secret court enabled bythe Foreign Intelligence Surveillance Act (FISA). The Chief Justice ofthe Supreme Court has the power to select members of this secret FISAcourt, which authorizes covert surveillance by law enforcement. Sen.
Patrick Leahy urged Judge Roberts to work with him, Sen. Specter andSen. Charles Grassley to improve the transparency of the FISA Court.
Roberts agreed to keep an open mind on the topic, though he deferred toCongress's decisions in creating it.

Last week, in a letter to the Senate Judiciary Committee, EPIC had askedSenators to explore the views of Judge Roberts on privacy, "particularlyas they may relate to the future of the Fourth Amendment and the role ofthe Congress in establishing statutory safeguards." The EPIC letterconcluded, "The first Justice to join the Supreme Court in the 21stcentury should have a strong commitment to apply the Constitutionalprinciples and enforce the statutory rights that help safeguard privacyin the modern era."

EPIC letter on John Roberts (pdf):

Senate Judiciary Committee:

Wikipedia, John G. Roberts, Jr.:

[5] Election Report Recommends Voter ID, Paper Trails

The Commission on Federal Election Reform, co-chaired by formerPresident Jimmy Carter and former Secretary of State James A. Baker III,released a report on the conduct of domestic elections. The report made87 recommendations, which include a call for universal voterregistration, use of the Real ID as a voter identification document, andverifiable paper trails for electronic voting machines. The report saidthat a single ID, uniform ID requirement would reduce discriminationimprove voter confidence and eliminate identification-related electionfraud.

Congress passed the Help America Vote Act of 2002, in response to thebreakdown in vote tabulation during Florida's recount process conductedat the conclusion of the 2000 presidential election. HAVA expands thefederal government's role in regulating voter registration and electionprocesses, and it provides funds to states to upgrade their electionsystems. Under HAVA, states retain control of the election process, butthey must meet minimum federal standards. HAVA also required electionofficials to verify voters' identification with administrative agencies(i.e., comparing driver's licenses with local DMVs and Social SecurityNumbers with the Social Security Administration.)

In May, Congress passed REAL ID, which mandates federal identificationstandards for state driver's licenses and requires that state DMVscollect sensitive personal information. The proposal of using the RealID card as a voter access card would be a significant departure from theoriginal congressional intent.

States can choose to opt-out of the REAL ID program, but the Actmandates that licenses from opt-out states cannot be used asidentification for federal purposes. If Congress mandates that votersparticipating in federal elections can use on the Real ID card asidentification, then residents of states that reject the REAL ID programwill not have acceptable voter identification.

EPIC earlier opposed Georgia's effort to require all voters to presentphoto ID to participate in public elections. EPIC said that the Georgiaplan encroaches on privacy, would discourage voter turnout, and isinconsistent with HAVA.

Report of the Commission on Federal Election Reform (pdf):

EPIC's Comments to the Department of Justice about the Georgia Voter IDPlan (pdf):

EPIC's Voting Page:

[6] News in Brief

Report: U.S. Outsources to Countries Lacking Privacy ProtectionsRep. Edward J. Markey, a senior Member of the House Energy and CommerceCommittee and the Co-Chair of the Congressional Privacy Caucus, recentlyreleased a report assessing the privacy risks for Americans when theirdata is outsourced to other countries. The report ranked the countriesbased on eight principles of legal protections taken from the EuropeanUnion's Data Privacy Directive, including security, enforcement andnotification. The report found that 14 of the 20 countries profiled haveprivacy regimes that are weaker than that of the U.S.

Markey Report: Outsourcing Privacy: Countries Processing U.S. Consumers'
Personal Information Lack Fundamental Privacy Safeguards (pdf):

Privacy and Human Rights Report 2004:

Public Comment Sought on ICANN WHOIS ProposalThe ICANN is requesting public comments on a new WHOIS policy. UnderICANN's current contracts with the registries and registrars, the WHOISdomain name contact information, which includes names, addresses,telephone numbers and e-mail addresses, must be public. But under manylocal and national laws the information is private. The Task Force nowrecommends that registrars who change their WHOIS practices to abide byapplicable laws and governmental regulations can still operate asaccredited registrars. EPIC and the Non Commercial Users Constituencysupport this change but also urge a comprehensive review of WHOISpolicies to ensure that the personal data of all Internet users isprotected. Comments are due October 2.

Public Comment (due October 2):

ICANN WHOIS Task Force Report:


Choicepoint Announces More Improper Personal Data Disclosures
In the course of investigating a 2004 security breach involving 140,000Americans, commercial data broker Choicepoint announced that another9,903 individuals had their personal information sold withoutauthorization. Of these individuals, 4,667 are victims of the 2004security breach where Choicepoint sold personal information to anidentity thief ring posing as a business. Choicepoint claims that aFlorida police officer accessed the personal information of 4,689 otherindividuals. The remaining notices concern illegitimate access byprivate investigators and an insurance company. In Big Brother's LittleHelpers, EPIC's Chris Hoofnagle warned that law enforcement users ofcommercial data brokers like Choicepoint were inadequately supervised.
For instance, one document obtained under the Freedom of Information Actdescribed in the article suggested that the FBI does not audit its ownemployee access to the Choicepoint database.

EPIC's Choicepoint Page:

Big Brother's Little Helpers:>

US-VISIT Border Program Will Extend to 104 More Ports of EntryThe Department of Homeland Security announced last week that theUS-VISIT border security program will add 104 ports of entry, beyond thecurrent 50, by the end of the year. Problems have been found inUS-VISIT's database and technology systems, and some errors have led tothe improper flagging of crewmembers by government watch lists. Thisextension comes as the agency is considering a flawed proposal to useRadio Frequency Identification tags for travel documents, and two monthsafter it began to require visitors to submit a full ten-fingerprint set.

July Spotlight on Surveillance: US-VISIT Rolls Out the Unwelcome Mat:


1,500 Students Protest Metal Detectors, Cameras at High SchoolThis week, 1,500 New York City high school students skipped classes andmarched for two miles to protest the installation of metal detectors andsecurity cameras at DeWitt Clinton High School. The school hadimplemented a system where the students had to pass through metaldetectors and have their bags scanned by X-ray machines. The school hadalso installed surveillance cameras. The protest resulted in a promisedmeeting between school administrators and students to discuss the newsurveillance system.

May Spotlight on Surveillance: More Cities Deploy Camera SurveillanceSystems with Federal Grant Money:

[7] EPIC Bookstore: Stephen G. Breyer's "Active Liberty"

Stephen G. Breyer, Active Liberty: Interpreting Our DemocraticConstitution (Alfred A. Knopf, 2005)

"It is a historic occasion when a Supreme Court justice offers, off thebench, a new interpretation of the Constitution. Active Liberty, basedon the Tanner lectures on Human Values that Justice Stephen Breyerdelivered at Harvard University in November 2004, defines that term as asharing of the nation's sovereign authority with its citizens. Regardingthe Constitution as a guide for the application of basic Americanprinciples to a living and changing society rather than as an arsenal ofrigid legal means for binding and restricting it, Justice Breyer arguesthat the genius of the Constitution rests not in any static meaning itmight have had in a world that is dead and gone, but in the adaptabilityof its great principles to cope with current problems.

Giving us examples of this interpretation in the areas of free speech,federalism, privacy, affirmative action, statutory interpretation, andadministrative law, Justice Breyer states that courts should takegreater account of the Constitution's democratic nature when theyinterpret constitutional and statutory texts. He also insists that thepeople must develop political experience as well, and obtain the moraleducation and stimulus that come from correcting their own errors. Hisdistinctive contribution to the federalism debate is his claim thatdeference to congressional power can actually promote democraticparticipation rather than thwart it. He argues convincingly thatalthough Congress is not perfect, it has done a better job than eitherthe executive or judicial branches at balancing the conflicting views ofcitizens across the nation, especially during times of national crisis.
With a fine appreciation for complexity, Breyer reminds all Americansthat Congress, rather than the courts, is the place to resolve policydisputes."

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50. survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the SunshineAct, and the Federal Advisory Committee Act. The 22nd edition fullyupdates the manual that lawyers, journalists and researchers haverelied on for more than 25 years. For those who litigate opengovernment cases (or need to learn how to litigate them), this is anessential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40. resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40. "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and international privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20. collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40. Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore "EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Canada-Australia Comparative IP & Cyberlaw Conference. University ofOttawa. September 30 and October 1, 2005. Ottawa, Ontario. For moreinformation:

Conference On Passenger Facilitation & Immigration: Newest trends inachieving a seamless experience in air travel International AirTransport Association (IATA) and Singapore Aviation Academy (SAA)
October 3-5, 2005 Singapore Aviation Academy. For more information: & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry ofGovernment Service’s Access & Privacy Office. October 6- 7, 2005.
Toronto, Ontario. For more information:

State of Play III: Social Revolutions. Berkman Center for Internet andSociety, New York Law School, Yale Law School. October 7-8, 2005. NewYork, NY. For more information: Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of"Privacy and Human Rights." October 20-21, 2005, Auditorio AlbertoLleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo deEstudios en Internet, Comercio Electrónico, Telecomunicaciones eInformática (GECTI), Law School of the Universidad de los Andes, Bogota,Colombia, Computer Professional for Social Responsibility-Peru(CPSR-Perú). For more information:

6th Annual Privacy and Security Workshop. Centre for Innovation Law andPolicy (University of Toronto) and the Center for Applied CryptographicResearch (University of Waterloo). November 3-4, 2005. University ofToronto. For more information: World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information: Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation:

Subscription Information

Subscribe/unsubscribe via web interface: issues are available at: EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see orwrite EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at: contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback