WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 23

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.22 [2005] EPICAlert 23


Volume 12.22 November 4, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
Table of Contents

[1] EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records
[2] EPIC Testifies on Registered Traveler
[3] New Passports Still to have RFID
[4] EPIC Documents Show Possible Abuses of Intelligence Powers
[5] EPIC, Others Challenge Internet Wiretap Order
[6] News in Brief
[7] EPIC Bookstore: Renee Marlin-Bennett's "Knowledge Power"

[8] Upcoming Conferences and Events

[1] EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records

On October 26th, EPIC joined with Patient Privacy Rights in an effort toestablish stronger protections in the United States for patients'
medical information.

"2005 is the year that the American public learned that massive securitybreaches of personal information have made identity theft the number onecrime in America. We must not allow the most sensitive personal recordsthat exist, our medical records, to go online without adequate privacysafeguards," said EPIC Executive Director Marc Rotenberg.

Congress is rushing to pass legislation to establish a national HealthInformation Network without patient privacy protections. Yet recentsurveys show that Americans consider the privacy of medical records tobe a major concern. A Harris poll this past February found that 69percent of adults do not believe strong enough data security will beinstalled in the system. An earlier Gallup survey found that 78 percentof the American public feel it is very important that their medicalrecords be kept confidential. And the Markle Foundation found that morethan three out of four respondents (79%) supported the right for apatient to control who can access his health information.

"No one should be able to see or use your medical records without yourpermission," said Dr. Deborah Peel, founder and chairman of the PatientPrivacy Rights Foundation. "Americans must have confidence in theprivacy and security of their online medical records."

As part of the effort to protect patients' privacy rights, the twogroups are circulating an online petition calling for strong medicalprivacy safeguards.

The petition states simply:

-- I want to decide who can see and use my medical records

-- I do not want my medical records or those of my family's to be seenor used by my employer

-- I should never be forced to give up my right to privacy in order toget medical treatment.

Patient Privacy Rights is an Austin, Texas-based national consumerorganization devoted to medical privacy.

"I Want My Medical Privacy!" petition:

Patient Privacy Rights site:

[2] EPIC Testifies on Registered Traveler

On November 3, the House of Representatives' Subcommittee on EconomicSecurity, Infrastructure Protection, and Cybersecurity held hearings onthe Transportation Security Administration's Registered Travelerprogram. The program allows travelers who submit to intensivebackground screening to pass through airport security screening morequickly.

EPIC Executive Director Marc Rotenberg testified on the problems withthe proposed program. He noted the security watchlists that form thebasis for the passenger pre-screening are riddled with inaccuracies thatare often extremely difficult to correct. Documents released to EPICunder the Freedom of Information Act revealed that over a hundredcomplaints of such errors were made to the Transportation SecurityAdministration in aperiod of less than a year.

Rotenberg also said that the program lacked the necessary privacyprotections of the Privacy Act of 1974. This is due to the fact thatRegistered Traveler databases are either owned by private companies thatare not regulated by the Act, or the government databases are exemptedfrom federal laws at the request of the Transportation SecurityAdministration.

Finally, Rotenberg cited the risk of "mission creep" within theRegistered Traveler program. Using Registered Traveler IDs insituations other than aviation security, as some vendors have suggested,would lead to travelers being allowed or denied access to any number ofvenues based not upon their risk to that venue, but on their supposedrisk to aviation. EPIC recommended that the plan not go forward untilthese flaws were fixed.

Also testifying before the Committee was Kip Hawley, Director of theTransportation Security Administration. Participants on a second panelwith Rotenberg were Charles Barclay of the American Association ofAirport Executives, Steven Brill of Verified Identity Pass, Larry Zmudaof Unisys.

Despite these concerns, representatives on the subcommittee were eagerto implement the system and questioned Director Hawley on the program'sslow development. They also had many questions for the industry memberson the second panel about the role that private businesses would play inthe system. Registered Traveler has been conceived as being run byprivate companies, with the Transportation Security Administrationproviding the background checks for registered travelers and performingthe screening at airports. The involvement of both the Administrationand private companies raised privacy concerns with several Subcommitteemembers.

Representative Dicks (D-WA) questioned Hawley about accuracy of thesecurity watchlists. Using language from Rotenberg's written statement,Congressman Dicks noted that the lists have demonstrated errors (such aslisting Senators Kennedy and Young for additional screening) and majorobstacles to correcting them (Senator Kennedy had to appeal directly tothen-Homeland Security head Tom Ridge). Hawley said that there was aredress process, with a special number added to the erroneous files, andthat the process was "very quick." He did not give additionalspecifics.

As for Privacy Act protections, Brill said that his company wouldvoluntarily abide by all Privacy Act safeguards, which do not ordinarilyapply to private companies. Regarding private companies' record withregard to consumers' privacy, Representative DeFazio (D-OR) had "twowords for that: Choice Point."

Testimony of Witnesses:

TSA's Registered Traveler site:

EPIC's Spotlight on Registered Traveler:

EPIC FOIA Note #8:

[3] New Passports Still to Have RFID

The State Department announced it will move forward with plans torequire new passports to be equipped Radio Frequency Identification(RFID) chips. The recently issued final rule also attempts to addressdeficiencies in a previous proposal, which would have made personal datacontained in the hi-tech passports vulnerable to unauthorized access.

The previous design would have stored information in the remotelyreadable passports in unencrypted form. Tests had shown that thepassports' RFID chips could be read from two feet or more, posing asignificant risk of unauthorized access. The program was widelycriticized as unnecessary and insecure by EPIC and other civil libertiesgroups. The previous design was also criticized by privacy and securityexperts and the travel industry.

The State Department now plans to cover the passport booklet withmetallic shielding that effectively blocks transmission of informationwhen the booklet is not open. The Department also called for theimplementation of Basic Access Control, a practice in which the datacontained in the RFID chip is stored in encrypted form, and is onlydecrypted by RFID readers that optically read and decode a key printedon the inside of the passport's cover. This key is also used to encryptall communications between the passport and the reader.

The State Department, in conjunction with the National Institute ofStandards and Technology, will also add shielding to the RFID readers inan attempt to prevent the interception of signals between authorizedreaders and passports. The State Department did not, however, provideany details concerning this effort.

While these proposed changes should mitigate the most significant risksof skimming and eavesdropping, they invalidate the main justificationthat the State Department used to promote the use of RFID technology -
to save time at Customs by distance scanning with no physical contactrequired.

Computer Security expert Bruce Schneier has also said that "collisionavoidance ID" in the chip still creates serious privacy risks and shouldbe fixed. He writes in a recent column for Wired, "the real issue is howmany other problems like this are lurking in the details of its design?
We don't know, and I doubt the State Department knows either. Theonly way to vet its design, and to convince us that RFID is necessary,would be to open it up to public scrutiny.

Final Rule:

EPIC, EFF et al, Comments on RFID passports (pdf):

EPIC's RFID page:

[4] EPIC Documents Show Possible Abuses of Intelligence Powers

Documents obtained by EPIC under the Freedom of Information Act describethirteen cases of possible government misconduct in intelligenceinvestigations. The documents, written by the FBI's Office of GeneralCounsel, describe Bureau investigations conducted for months withoutproper reporting or oversight, an FBI agent's seizure of financialrecords in violation of federal privacy law, and an unidentifiedintelligence agency's unlawful physical search.

Most matters discussed in the documents were reported to theIntelligence Oversight Board, which is tasked with reviewingintelligence activities. Under an executive order, inspectors generaland general counsel throughout the intelligence community must informthe board about "intelligence activities that they have reason tobelieve may be unlawful or contrary to Executive order or Presidentialdirective." The board then reports these activities to the Presidentand Attorney General.

The documents obtained by EPIC raise the troubling possibility thathundreds of allegations of unlawful investigations are reported fromvarious agencies to the board each year. Yet there is no requirementthat Congress is notified of these allegations or how these matters areultimately resolved. In response to the documents, EPIC has written aletter to the Senate Judiciary Committee highlighting the need for theAttorney General to report to Congress on potentially unlawfulintelligence investigations.

The documents were released by the Bureau in response to an EPIC opengovernment request filed in March for information about the FBI's use ofsunsetting provisions of the PATRIOT Act, many of which gave the FBIexpanded investigative powers. EPIC filed suit in federal court in Mayto force the FBI to release the information while Congress isconsidering renewal of the sunsetting provisions. Congressionalconferees are expected to meet soon to reconcile the differences betweenPATRIOT renewal legislation passed by the House and Senate.

EPIC FOIA documents on possible intelligence abuses (pdf):

EPIC's FOIA request (pdf):

Letter to the Senate Judiciary Committee:


EPIC's PATRIOT Sunset Page:

[5] EPIC, Others Challenge Internet Wiretap Order

EPIC joined a coalition of public interest and business groups onOctober 25 in challenging a Federal Communications Commission orderthat requires broadband Internet and certain voice-over-InternetProtocol (VoIP) providers to design their systems to ease governmentwiretapping. The order expands the reach of the 1994 CommunicationsAssistance for Law Enforcement Act.

The law grew out of concerns that, as telephone networks became moreadvanced, law enforcement agencies would have an increasingly difficulttime intercepting and deciphering the communications of suspects undersurveillance. In 1994, Congress drafted a law that required telephonecompanies to provide this assistance to the government. In passing theact, Congress removed from its coverage e-mail and “informationservices” like America Online and Prodigy.

The Commission's expansion of the law will apply it to broadbandInternet providers and to "interconnected VoIP" providers, whose systemsare capable of interfacing with the traditional telephone network. TheCommission also claimed that the wiretap law covered VoIP services thatdid not connect to regular telephones, but that it would address thosetechnologies in a later ruling.

The groups contend that the law specifically prohibits the FCC'sexpansion of its scope, and that applying it to these other technologieswill lead to privacy and security flaws. To challenge the Commission'sorder, they filed a petition for review, which brings the issue beforethe federal Circuit Court of Appeals for the D.C. Circuit. EPIC isjoined in the challenge by the American Library Association, theAssociation of Research Libraries, the Center for Democracy andTechnology, COMPTEL, the Electronic Frontier Foundation,, andSun Microsystems.

Petition for Review (pdf):

The FCC's order (pdf):

Text of the wiretap law:

EPIC's wiretap page:

[6] News in Brief

Alito Paper on Privacy

EPIC has obtained a copy of the final report prepared by Supreme Courtnominee Samuel Alito for a 1972 conference on "The Boundaries of Privacyin American Society." The paper proposes far-reaching protections forthe right of privacy, and specifically addresses such topics as the useof census data, polygraphs, domestic surveillance, communicationsprivacy, computer security and encryption, consumer protection, andhomosexuality.

Copy of Alito's 1972 report (pdf):

Spotlight: Facial Recognition Systems Don't Picture PrivacyThis month, Spotlight focuses on facial recognition systems. TheDepartment of Homeland Security has spent millions of dollars on these"smart" cameras that attempt to identify people based on their facialimages. However, several tests show the systems are not reliable. Facialrecognition systems also create significant privacy risks: the camerasare often hidden and there are no laws to prevent abuse.

EPIC's Spotlight on Surveillance page:

EPIC's Facial Recognition page:

Public Voice Privacy Symposium: Debut of Privacy and Human Rights 2005Government data protection authorities, academics, and human rights andprivacy groups gathered at the university of the Andes in Bogota,Colombia on October 20-21 to hold the Public Voice Symposium on Privacyand Data Protection in Latin America: Analysis and Perspectives. Thesymposium gave experts from Latin America and the United States anopportunity to analyze and debate the most current public policy issuesand recent developments in privacy in Latin America. The meeting alsomarked the introduction of the first Spanish-language edition of EPIC'sannual Privacy & Human Rights survey.

Symposium website (in English and Spanish):

Presentations available at:

47 Attorneys General Urge Congress to Protect Data Security
47 Attorneys General urged party leaders in the House and Senate to passa strong security breach notification law. The letter is in response toa series of bills that have been introduced to address security breachesand identity theft at the federal level, many of which are substantiallyweaker than existing state law. The Attorneys General argued quicknotification of is necessary because Federal Trade Commission statisticsshow that the cost and severity of identity theft are reduced whenvictims are informed shortly after their information is misused.

The Attorneys General also called for the ability of consumers to freezetheir credit report. Freezing a credit report makes it very difficultfor identity thieves to open new accounts in another's name. TheAttorneys General specified that credit freeze should be low cost forconsumers, free for identity thieves, and easy to "thaw" so thatconsumers can take advantage of credit offers.

The Attorneys General letter is online at (pdf):

Putting Identity Theft on Ice: Freezing Credit Reports to PreventLending to Impostors:

ID Thieves Prey on Financial Aid
According to the Wall Street Journal, identity thieves have found a newtarget for fraud: the government. Identity thieves are posing asstudents in order to collect federal student financial aid. One thiefprofiled by the Journal assumed 43 identities and stole $316,000 infederal aid. The thief committed the crime by purchasing a list ofnames of prison inmates, and using their personal information for fraud.

The article is online at:

[7] EPIC Bookstore: Renee Marlin-Bennett's "Knowledge Power;
Intellectual Property, Information & Privacy"

Where are the lines between privacy, intellectual property, andinformation flows?

Renee Marlin-Bennett offers perspective on the central question: How dothe ability to own intellectual property and information and the abilityto control how information flows become a source of power? This bookprovides a good review of the history of Intellectual Property and thekey changes in information technology that elevated the discussion ofprivacy in cyberspace to the forefront of public discourse.

One interesting reminder that the publication offers is that the rulesregarding intellectual property were established in the West and arequickly being adopted by the developing world. Intellectual propertyrights are dictating the global commercial exchange of goods andservices. The rules that define property rights are called"Commodification." These legal protections are based solely on humaninvention and not strict ownership definitions. The author asserts thatwhat has followed under the regime of intellectual property is a goodindication of where we are going.

This book reminds readers that computers and more importantly theInternet have changed the dynamics of personal information flow. Digitalinformation presents challenges to privacy and information transactioncontrol. With the speed and easy of sending personally identifiableinformation globally the stakes are high on getting privacy over theInternet wrong. Today in appropriate or illegal informationtransactions can and do happen.

Renee Marlin-Bennett's book "Knowledge Power; Intellectual Property,Information & Privacy," should be read by those just learning or wellversed on the topics of intellectual property, information, and privacy.

Lillie Coney

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism Prevention Act, and theCAN-SPAM Act.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed to learn how to litigate them), this is an essential referencemanual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and international privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumers andthe basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although several governmentsare gaining new powers to combat the perceived threats of encryption tolaw enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Contours of Privacy: Normative, Psychological, and Social Perspectives.
Carleton University. November 5-6, 2005. ottowa, Canada. For moreinformation:

12th ACM Conference on Computer and Commnuications Security. Associationfor Computing Machinery: Special Interest Group on Security, Audit, andControl. November 7-11, 2005. Alexandria, VA. For more Information:

Regulating Identity Theft and Data Breaches. American Bar AssociationSection of Administrative Law and Practice. November 17, 2005.
Washington, DC. For more information:

The Federal Bank Regulator's Approach to Data Security. American BarAssociation Section of Administrative Law and Practice. November 17,
2005. Washington, DC. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For more information:

Fifth International Conference on Data Mining. IEEE Computer Society.
November 27-30, 2005. Houston, TX. For more information:

First International Conference on Availability, Reliability andSecurity. Vienna University of Technology. April 20-22, 2006. Vienna,Austria. For more inofrmation:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback