WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 21

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.20 [2005] EPICAlert 21


Volume 12.20 October 6, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC FOIA Note: Travelers Struggle With Watch List Errors
[2] FCC to Apply Wiretap Law to Broadband, VoIP
[3] US-VISIT's Travel ID Plan Still Has Security, Privacy Risks
[4] EPIC Unveils Page About Theme Parks and Privacy
[5] Congress Demands Limits on "Sensitive Security Information"

[6] News in Brief
[7] EPIC Bookstore: Dan Tynan's "Computer Privacy Annoyances"

[8] Upcoming Conferences and Events

[1] EPIC FOIA Note: Travelers Struggle With Watch List Errors

Documents obtained by EPIC under the Freedom of Information Act shownearly a hundred complaints from airline passengers about thegovernment's traveler screening security measures. The most commoncomplaint from travelers is that they have been wrongly placed on agovernment watch list.

The Transportation Security Administration maintains "selectee" and "nofly" watch lists of individuals suspected of posing a risk to air travelsafety. When a passenger checks in for a flight, he may be labeled athreat if his name matches an entry on one of the watch lists, even ifhe is not the person actually on the list. People who are identified aswatch list matches may experience long screening delays or not beallowed to board the plane.

EPIC posted the documents on its Web site in recognition ofInternational Right to Know Day on September 28. On that day in 2002,freedom of information organizations from around the world establishedthe Freedom of Information Advocates Network. The coalition, nowcomposed of more than 90 organizations on four continents, continues topromote the adoption of freedom of information laws throughout the worldand the recognition of the right to know as a fundamental human right.

EPIC FOIA Note #8:

More EPIC FOIA documents on watch lists:

Freedom of Information Advocates Network:

EPIC International Right to Know Day press release:

[2] FCC to Apply Wiretap Law to Broadband, VoIP

On September 23, the Federal Communications Commission issued an orderand notice of proposed rulemaking stating that the federal wiretap lawapplies to broadband Internet service providers and voice over IP (VoIP)
services. The 1994 wiretap law, known as CALEA (the CommunicationsAssistance for Law Enforcement Act) required telephone companies toprovide easy access for law enforcement agencies to tap customers'

The new FCC order means that broadband service providers and providersof VoIP services that are capable of connecting to the regular telephonenetwork ("interconnected VoIP") must also create systems that thegovernment can wiretap. The FCC reached this conclusion despite the factthat CALEA originally applied only to "telecommunications carriers" andexcluded "information services"from its scope.

The FCC justified this expansion by citing a previously unused portionof CALEA that authorized the FCC to apply CALEA to any "wire orelectronic communication switching service," so long as that service "isa replacement for a substantial portion of the local telephone exchangeservice and. . . it is in the public interest to do so." The FCC citedto this, saying many use broadband and VoIP services to at leastpartially replace traditional telephone use. The FCC also argued thatthe exclusion of "information services" from CALEA does not applybecause the agency interprets the definitions of "telecommunications"
and "information services" differently for CALEA than it does for theCommunications Act.

On the same day as the Order was issued, the FCC released a policystatement that outlined the FCC's belief that "consumers are entitledto run applications and use services of their choice, subject to theneeds of law enforcement." This announcement indicates the potentialfor wiretap provisions to expand into an even wider variety ofcommunications methods. The final breadth of this expansion remains tobe seen.

FCC Order and Further Notice of Proposed Rulemaking (pdf):

FCC Policy Statement (pdf):

2003 EPIC Letter to Chairman Michael Powell on VoIP Regulation:

EPIC Wiretap Page:

[3] US-VISIT's Travel ID Plan Still Has Security, Privacy Risks

In comments to the Department of Homeland Security, EPIC again has urgedthe agency to abandon a flawed proposal to embed Radio FrequencyIdentification tags in the Form I-94 or Form I-94W, which is theArrival-Departure record issued to a traveler to the United States. Theplan lacks basic privacy and security safeguards, and these costssubstantially outweigh the limited timesaving benefits, EPIC said.

Under US-VISIT, foreign visitors are subject to biometric collection,biographic data collection, and watch list checks. The informationcollected from individuals includes name, date of birth, country ofcitizenship, passport number and country of issuance, complete U.S.
destination address, and digital fingerscans.

The wireless travel ID plan contains a significant risk of unauthorizedaccess. Although DHS states that the RFID tags will only carry a uniqueidentification number, which will not contain any personallyidentifiable information, the ID numbers are linked to data files, andare subject to interception. The ID number is the key that permitsaccess to records in the US-VISIT system.

Another significant security risk is that of clandestine tracking. RFIDis an invisible technology. It allows a person's information to beaccessed without his or her knowledge. Anytime a visitor is carrying hisI-94 RFID-enabled form, his unique identification number, which islinked to his individual biographic information, could be accessed byunauthorized individuals. So long as the RFID tag or chip can be read byunauthorized individuals, foreign visitors could be identified andtracked.

EPIC has submitted a series of comments on database proposals undertakenby DHS regarding the development of the US-VISIT program. Most recentlyin August, EPIC urged DHS abandon the RFID plan because the problemswith the proposal are very similar to the problems found in the StateDepartment's flawed proposal to include RFID tags in U.S. passports. TheState Department is reassessing the plan after receiving a storm ofcriticism from civil liberties, security and privacy groups, includingEPIC.

EPIC's recent comments (pdf):

EPIC's Aug. 4, 2005 comments (in html and pdf):



[4] EPIC Unveils Page About Theme Parks and Privacy

EPIC has created an issue page on theme parks and privacy to act as asingle source of information for consumers to learn more about privacyissues surrounding theme parks. The page provides information on themeparks' growing use of biometrics and other surveillance technology forcommercial purposes.

For instance, fingerprint scans are now being used to keep track ofvisitors who enter and exit theme parks such as Walt Disney World. OnJanuary 2, all current Disney World admission passes began usingfingerprint scans as a means to track customers entering Disney themeparks. Each park visitor is asked to make the peace sign and then placethe fingers into a fingerprint reader. The digital fingerprintinformation is stored and used to match visitors with their park pass.
All individuals who are 10 years of age or older are asked to providetheir fingerprints for scanning. However, children younger than ten havealso been participating in this customer identification program.

Unfortunately, many visitors to the theme parks are not aware of the newpolicy. They are not informed that their fingerprint information hasbeen scanned and retained. Customers were not provided with informationon how long the fingerprint information would be retained, nor whetherthe information collected would be used for other purposes other thanthe control of admission to the theme park.

Another theme park profiled on the page is DestiNY USA, which is underconstruction in the state of New York. This commercial center and themepark has been advertised as a place where marketers can study consumersinteracting within a "living laboratory." The park claims that it has"built in the access and capacity for partner companies to monitor andcontinuously improve their products and services as they are being usedby millions of visitors."

The two parks highlighted are not the only theme parks using biometricsand surveillance technology to monitor visitor access and activitywithin parks. As technologies that were once considered inappropriatefor use on the general public become more available, park visitors mustbe on guard for additional threats to their privacy.

EPIC's Theme Park Page:

[5] Congress Demands Limits on "Sensitive Security Information"

In a conference report on the 2006 Homeland Security Appropriations Act,Congress instructed the Department of Homeland Security to createclearer and more consistent procedures for determining what documentsare to be considered "sensitive security information," or SSI. Whilesuch documents are unclassified, they are still withheld as being toosensitive to release publicly. Among the documents considered SSI areairport security plans, specifications for screening devices, andvulnerability studies. However, in recent years, the category hasexpanded to include "security directives" and any "other information"
within an agency's discretion. For instance, Transportation SecurityAdministration employees have cited SSI to refuse to tell airlinepassengers why they were being searched.

The Congressional report sought to curb the proliferation of SSI inareas that should be in the public domain. The report requires eachoffice within Homeland Security to have a specific official who willdesignate documents as SSI. Congress also requires the Secretary ofHomeland Security to give the titles of all SSI documents to Congress inan annual report.

This July, EPIC won a battle with the Department of Homeland Securityand the Transportation Security Administration over SSI designations. Afederal court found that government agencies cannot withhold informationsimply by designating it SSI, without any further description. Thoughfederal agencies "are not required to describe the withheld portions inso much detail that it reveals the sensitive security informationitself," the court said they are required to "provide a more adequatedescription" to explain why material is not made public. EPIC filed aFreedom of Information Act suit to force DHS, TSA and the FBI to releasedocuments detailing the agencies' efforts to obtain airline passengerinformation. Though the court found that the FBI had conducted anadequate search for documents, and TSA and DHS had properly withheldsome material, the court ordered DHS and TSA to provide more detailedjustification for numerous withholdings.

Excerpts from the Conference Report:

Full text of the Conference Report on the 2006 Homeland Security Act:

Opinion in EPIC FOIA Case (pdf):

[6] News in Brief

Spotlight: Registered Traveler Program Creates Private ID System“Spotlight on Surveillance” turns to the Registered Traveler airpassenger prescreening program run by Verified Identity Pass, Inc.
Travelers pay $80 per year and submit personal data, including SocialSecurity numbers, fingerprints, and iris scans, to the company for theprivilege of a “fast pass” through airport security. The program mayexpand beyond airports to office buildings and stadiums. The system notonly contains significant security and privacy flaws, it also createsthe risk that people may eventually have to pay for an unregulated,privatized ID card simply to enter an office building.

Spotlight on Surveillance:

EPIC's Passenger Profiling Page:

Recent Poll Shows Widespread Concern for Consumer PrivacyA recent CBS/New York Times poll shows that Americans are increasinglyworried about their personal information being collected and shared byprivate companies. 52% think the right to privacy is under seriousthreat, and another 30% think it has already been lost. Only 16% thinkit is still safe. The poll also reveals that 55% were very concernedabout having personal information stolen, and another 34% were somewhatconcerned. Financial institutions were seen as the biggest threat toprivacy, with half of the respondents naming banks and credit cardcompanies as the source of the greatest threat to privacy. The federalgovernment was the primary privacy threat seen by 14%. 68% ofrespondents felt that the federal government should be doing more toprotect their privacy. Respondents were not asked about state or localgovernments.

EPIC's Public Opinion and Privacy Page:

EPIC Comments on ICANN WHOIS ProposalEPIC has filed comments with the Internet Corporation for Assigned Namesand Numbers (ICANN) on its new WHOIS policy. Under ICANN's currentpolicies, those registering domain names must make public their contactinformation via WHOIS. But under many local and national laws, thisinformation is private. The Task Force now recommends that registrarsbe allowed to request exceptions to the ICANN policies if they can showa conflict with local or national laws. The EPIC comments support thischange but also urging far more comprehensive and effective policies beexplored and implemented.

EPIC's Comments to ICANN:

ICANN WHOIS Task Force Report:


Senate Adds Unrelated DNA Collection to Violence Against Women ActA measure that would allow the collection of DNA from any persondetained or arrested by law enforcement was attached to the ViolenceAgainst Women Act. The amendment, unrelated to the Act, would allow lawenforcement to collect DNA even from those not convicted or charged withany crime. The DNA would then be added to a federal DNA database.
CODIS currently includes the DNA only of those who have been convicted,indicted, or charged with crimes.

Text of the bill (DNA Fingerprint Act is under Title X):

California to Track Parolees, Probationers by GPSCalifornia Gov. Arnold Schwarzenegger signed legislation Tuesday thatwill allow counties and the state to track people on probation orparole by attaching global positioning system devices to theirankles. Each device costs about $9 per day to operate and can beassigned by probation officers without a judge's order. Californiahas 115,000 parolees and 250,000 on probation.

California Legislative Information on the bill (SB 619):

Homeland Security's Privacy Officer Steps DownOn September 29th, Nuala O'Connor Kelly stepped down as the ChiefPrivacy Officer at the Department of Homeland Security. The position wascreated in an attempt to safeguard privacy rights at DHS. Although civilliberties groups praised Ms. O'Connor Kelly for her work, which includedcalling attention to several privacy breaches at DHS, they also notedthat the position of Privacy Officer lacked the independence necessaryto truly protect Americans' privacy. Ms. O'Connor Kelly leaves DHS totake a position as head of privacy issues at General Electric. MaureenCooney, Ms. O'Connor Kelly's former chief of staff, has been namedacting director.

Department of Homeland Security Privacy Office:

[7] EPIC Bookstore: Dan Tynan's "Computer Privacy Annoyances"

Dan Tynan, Computer Privacy Annoyances: How to Avoid the MostAnnoying Invasions of Your Personal and Online Privacy (O'Reilly 2005)

Dan Tynan's Computer Privacy Annoyances gets it right: the book providesexcellent advice on how to protect privacy without turning the readerinto a paranoid. The book has one of the best "top ten" steps toprotect privacy I've read. He covers privacy at home, work, and on theInternets. He also covers privacy in public, an increasingly importanttopic in an age of ubiquitous cameras and nagging offline requests forpersonal data at retail stores. A prescient section of the bookdiscusses the privacy risks associated with social network software,systems that many even in the privacy community have adopted.

Oddly enough, O'Reilly (the publisher) stuck a registration card inTynan's book. A careful reader of Tynan's book will learn that suchproduct registration cards are just marketing tools and should bedispatched to the recycling bin.

-- Chris Jay Hoofnagle

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50. survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the SunshineAct, and the Federal Advisory Committee Act. The 22nd edition fullyupdates the manual that lawyers, journalists and researchers haverelied on for more than 25 years. For those who litigate opengovernment cases (or need to learn how to litigate them), this is anessential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40. resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40. "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and international privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20. collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40. Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore "EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Access & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry ofGovernment Service’s Access & Privacy Office. October 6- 7, 2005.
Toronto, Ontario. For more information:

State of Play III: Social Revolutions. Berkman Center for Internet andSociety, New York Law School, Yale Law School. October 7-8, 2005. NewYork, NY. For more information: World Conference and Exhibition on the Practical Application ofBiometrics. Elsevier. October 19-21, 2005. Westminster, London, UK.
For more information:

Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of"Privacy and Human Rights." October 20-21, 2005, Auditorio AlbertoLleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo deEstudios en Internet, Comercio Electrónico, Telecomunicaciones eInformática (GECTI), Law School of the Universidad de los Andes, Bogota,Colombia, Computer Professional for Social Responsibility-Peru(CPSR-Perú). For more information:

Cryptographic Hash Workshop. National Institute of Standards andTechnology, Computer Security Division. October 31-November 1, 2005.
Gaithersburg, MD. For more information: International Conference on Digital Rights Management: Technology,Issues, Challenges, and Systems. Telecommunications and InformationTechnology Research Institute (University of Wollongong), InternationalAssociation for Cryptologic Research, IEEE Task force on InformationAssurance. October 31-November 2, 2005. Sydney, Australia. For moreinformation:

6th Annual Privacy and Security Workshop. Centre for Innovation Law andPolicy (University of Toronto) and the Center for Applied CryptographicResearch (University of Waterloo). November 3-4, 2005. University ofToronto. For more information: ACM Conference on Computer and Communications Security. Associationfor Computing Machinery: Special Interest Group on Security, Audit, andControl. November 7-11, 2005. Alexandria, VA. For more Information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information: Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation:
Subscription Information

Subscribe/unsubscribe via web interface: issues are available at: EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see orwrite EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at: contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback