WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 25

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.24 [2005] EPICAlert 25


Volume 12.24 December 01, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
Table of Contents

[1] EPIC Supports State Credit Freeze Laws
[2] Government Agency Seeks New Power to Track Travelers
[3] Denver Bus Rider Arrested for not Showing ID
[4] Canada's Privacy Officer Calls for "Drastic Action" on Phone Records
[5] EU Parliament Enacts Data Retention Limits
[6] News in Brief
[7] EPIC Bookstore: "The Glass Consumer"

[8] Upcoming Conferences and Events

[1] EPIC Supports State Credit Freeze Laws
In comments to the New York State Legislature and the Maryland AttorneyGeneral, EPIC argued that individuals need more control over theircredit reports in order to curb the incidence and severity of identitytheft. The comments were in response to requests from both New York andMaryland government officials who are exploring "credit freeze" laws,legislation that gives individuals the ability to prevent thedissemination of their credit report to new creditors. If creditgrantors cannot access an individual's report, the creditor will notissue a new account. Therefore, by allowing consumers to have morecontrol and freeze their reports, they can stop identity theft.

A consumer-friendly credit freeze law would allow any individual
evensomeone not victimized by identity theft
to freeze his or her creditreport. Furthermore, individuals should be able to quickly "thaw" theirfiles online or by calling a toll-free number when they need to applyfor credit or a job.

The EPIC comments highlight how individuals need control over theircredit reports because the financial services industry continues to uselax practices in granting credit. For instance, despite the promise thatconsolidation of banks and greater information sharing would reduceidentity theft, banks are sending out a record number of "pre-screened"
credit offers in 2005. Over 5 billion of these offers will be sent inthe mail this year, and criminals can easily search mailboxes to obtainthe offers and use them to steal others' identities.

The comments also focus attention on instant credit. A number ofcommentators have remarked in recent months that instant credit grantingmakes identity theft "easy." The competition to issue new instant creditaccounts is such that creditors are opening accounts to toddlers anddogs. In a series of identity theft cases documented in EPIC's comments,identity thieves were able to obtain new accounts despite the fact thatthey left clearly inaccurate information on the credit application. Inone case, creditors issued new accounts four times to an impostor whoused the wrong first name, birth date, and address of the victim.
Without the ability to freeze one's credit report, there is no way foran individual to avoid these practices.

Finally, EPIC warned New York and Maryland authorities that thefinancial services industry has begun to "blame the victim" for identitytheft. By engaging in a selective reading of identity theft statistics,financial services companies have argued that in a majority of thecases, roommates, family members, and others close to the victimcommitted the crime. However, only about half of identity theft victimseven know how their identity was stolen. Only about a quarter of victimsknow the actual identity of the thief, and in those cases, about a thirdof the time the impostor was a family member. But the financial servicesindustry wants to blame the victim in order to maintain the status quoand shift the focus from away from its own practices.

EPIC Comments on Maryland Credit Freeze Laws:

EPIC Comments on New York State Credit Freeze Laws:

EPIC Identity Theft Page:

[2] Government Agency Seeks New Power to Track Travelers

The Centers for Disease Control and Prevention has proposed a rule thatwould greatly expand the powers of the federal government to track andquarantine individual travelers. The federal government, airline andshipping industries would scrutinize travelers more closely.

The new rule, estimated to cost up to $865 million a year, would requireairline and shipping industries to gather passenger contact and healthinformation, maintain it electronically for at least 60 days, andrelease it to the CDC within 12 hours of a request. The CDC would retainthe information for a year. The information gathered would include:
"permanent address, email address, passport information, travelingcompanions or group, emergency contact information (including at leastname of an alternate person or business and a phone number), phonenumber(s) for the passenger, itinerary, and other flight information."
According to the CDC, "[t]his set of data is greater than the set ofinformation currently collected by the airlines, [global distributionsystems], or travel agencies."

The rule also broadens the list of symptoms that would make passengerssubject to quarantine. It would allow the CDC to detain a sickindividual for three business days without a hearing. After that time,the CDC Director would have the power to quarantine an individual untilthe end of "the period of incubation and communicability for thecommunicable disease as determined by the Director." For most diseases,this would be about a month. During that month, the quarantined personwould be able to have an administrative hearing, but only to disputefactual evidence on whether the person has been exposed to a disease.
Legal or constitutional claims could not be addressed by the hearing,though detainees could petition for a writ of habeas corpus for judicialreview of the quarantine order.

With regard to its Privacy Act obligations, the CDC states only that"[i]nformation and records provided to CDC will be maintained and storedin accordance with HHS and CDC policies and in accordance with PrivacyAct (5 U.S.C. 552a) and its implementing regulations (45 C.F.R. Part5b), which require that the records only be used for authorized purposesby authorized personnel." What uses and personnel are authorized areunclear.

EPIC urges the public to submit comments and ask for a clear explanationof how the CDC will comply with the provisions of the Privacy Act. Thepublic has until January 30, 2006 to comment on this rule. As part of aneffort to protect patients' privacy rights, EPIC and Patient PrivacyRights are circulating an online petition calling for strong safeguardsof health record information.

The Proposed CDC Rule:

To submit comments about the Rule:

EPIC's Medical Privacy Page:

"I Want My Medical Privacy!" petition:

Patient Privacy Rights site:

[3] Denver Bus Rider Arrested for not Showing ID

On September 26, Deborah Davis was arrested in Denver, Colorado forrefusing to show an ID to a guard who had boarded the public bus she wasriding. After federal officers were called onto the bus, she wasarrested and cited with violating two federal regulations. She isscheduled for arraignment before a U.S. magistrate judge on December 9.

Davis was riding to work when the bus, on its normal route, stopped atthe gates of the Denver Federal Center. A guard boarded the bus anddemanded to see ID from all of the passengers. Davis refused, notingthat she was not required to show ID. When ordered off the bus, Davisalso refused. The guard then called officers of the Federal ProtectiveService to the bus. When Davis continued to refuse to show ID or leavethe bus, she was handcuffed, removed from the bus, and driven to apolice station within the Federal Center. Officers at the stationconferred for a while, then issued two tickets to Davis before allowingher to leave.

Davis has been cited with violating two provisions of the Code ofFederal Regulations: one authorizing guards to request ID from personsentering closed areas of federal property, and another requiringcompliance with lawful directions from officers. The municipal bus waspassing through the Center during normal business hours. Officials saythat the ID checks are part of a security program instituted after theOklahoma City bombings of 1995, and that they occur only when theFederal Center is on "heightened alert," of which the public might notreceive warning.

Last year, the Supreme Court narrowly upheld a Nevada state law thatallowed officers to arrest individuals "reasonably suspected" to havecommitted a crime when they refuse to provide their names to police.
EPIC filed an amicus brief in that case, Hiibel v. Sixth JudicialDistrict Court of Nevada, arguing that compelled disclosure of identityaffects privacy, as well as anonymity rights. In contrast to the Hiibelcase, Davis was apparently asked to show documentary identification, andwas not under suspicion of committing a crime.

Davis's Site:

Story in the Rocky Mountain News:

EPIC's Hiibel page:

EPIC's amicus brief in Hiibel (pdf):

[4] Canada's Privacy Officer Calls for "Drastic Action" on Phone Records

A reporter successfully obtained the personal and government phonerecords of Canadian Privacy Commissioner Jennifer Stoddart, causing herto call for "drastic action" to address the security of phone records.
The reporter, Jonathan Gatehouse of Maclean's Magazine, obtained thephone records from American data broker "" for $200 perorder, "no questions asked." An exemption in Canadian privacy law allowsreporters to engage in such activities for newsgathering purposes. is one of 40 websites identified by EPIC as openlyadvertising its ability to obtain phone calling records for a fee. EPICfiled a complaint with the Federal Trade Commission concerning suchsites in July 2005. In August, EPIC petitioned the FederalCommunications Commission, and urged the agency to create heightenedsecurity requirements for phone calling records.

Since EPIC filed its complaint and petition, a number of reporters havesuccessfully obtained phone records through online data brokers. VerizonWireless has brought at least two cases against companies that obtainrecords. However, the FTC and FCC have yet to act.

Individuals concerned about protecting their phone records should takeseveral steps. First, ensure that your phone account in held in yourname. For instance, if the account is held in a spouse's name, yourspouse can obtain the records. Second, call your phone carrier and placea password on your account. Use a password that you are apt to remember,but others are not likely to know. The name of your first pet, a streetyou lived on, or the name of your grade school will suffice. Do not useyour date of birth, mother's maiden name, or Social Security number.
Finally, be sure to opt out of the sale of "CPNI," when you call thecarrier. CPNI is your calling records, which are sold by many carriersfor marketing purposes unless you opt out.

Maclean's Article on Protection of Phone Records

EPIC's Page on Illegal Access to Phone Records:

[5] EU Parliament Enacts Data Retention Limits

Members of the European Parliament's Civil Liberties Committee voted tolimit a proposed data retention directive being negotiated by theEuropean Commission and 25 European Union governments through theCouncil of the EU. The proposal has now gone back to the Council ofMinisters for them to accept the amendments or make further changes. TheParliament and the Council will then have to reach a compromise on thefinal legislation, which will later go to the European Parliament for avote. Great Britain, which holds the EU Presidency until the end of theyear, reaffirmed its commitment to reaching an agreement on the dataretention issue by that time.

The Committee's recommendations include decreasing from 24 to 12 monthsthe maximum period during which telephone companies and Internet serviceproviders could store traffic data. Committee members also agreed that thedata retention requirements could only apply to cases of serious crimes,instead of all crimes. This comes as a reaction to a move from the musicand movie industries, who are eager to use the traffic data from allusers to prosecute people for uploading copyrighted files onto theInternet and using peer-to-peer file-sharing networks. Consumer groups havepointed out that the entertainment industry is attempting to hijack alegislation intended mostly to fight terrorism for their own, totallyunrelated, needs.

The Committee's amendments make modifications to the draft directive torequire that a judge authorize access to telephone and Internet traffic;
that there be provisions on access to retained data; that data mining beprohibited, and the type of data to be retained be limited. They alsomake it an obligation for EU governments to reimburse companies'
storage, management, data protection and data security costs the dataretention requirements mandate; recommend a sunset clause for the wholedirective; and that criminal sanctions be introduced for theinfringement of data security and data protection provisions.

European Digital Rights, a coalition of European civil liberties organizations, hasexpressed concern about the data retention proposal. The ISP andtelecommunications industries are also opposed to the draft directive,claiming in a joint statement that the retention periods the Parliamentput forward are still too long, and the scope of data too wide.

EPIC's International Data Retention page.

European Digital Rights (EDRi) home page:

[6] News in Brief

EPIC Files Suit for Information on Requests for Taxpayer RecordsEPIC has asked a federal court to order the Internal Revenue Service torelease documents about law enforcement and intelligence requests fortaxpayer records since 9/11. EPIC has been seeking the informationthrough the Freedom of Information Act since July 2004, but the agencyhas failed to disclose any documents. An EPIC FOIA request to the SocialSecurity Administration revealed earlier this year that the agencychanged its traditionally strict disclosure policy to allow lawenforcement agencies to obtain personal information merely by statingthe data was sought "in connection" with a 9/11 investigation. Thedocuments show the policy was still in effect in May 2004.

EPIC's complaint (pdf):

Documents obtained by EPIC from the Social Security Administration(pdf):

EPIC's Internal Revenue Service Page:

Public Voice Symposium on Privacy in the Information SocietyEPIC hosted a panel at the World Summit on the Information Society inTunisia on November 18, 2005 to introduce the highlights of its upcoming"Privacy & Human Rights 2005" survey. Seven panelists from Europe, NorthAmerica, Latin America, the Middle East and Asia discussed their viewson the importance of privacy in the Information Society and the recentprivacy developments in their region. The panel gathered representativesfrom civil society, human rights organizations, data protectionauthorities and academic experts.

Public Voice Symposium Web page:

Highlights from Privacy & Human Rights 2005 (pdf):

Senate Considers Additional Exception to Federal Privacy LawThe Senate is mulling over a legislative proposal that would create anintelligence exception to a federal privacy law. The Privacy Act imposesobligations upon federal agencies maintaining personal data aboutcitizens and permanent residents, and gives those individuals rights intheir personal information held by the government. The proposedexemption would allow intelligence and other agencies to shareinformation gathered about citizens and permanent residents when thedata is related to foreign intelligence or counterintelligence. Thelegislation would also prevent individuals from accessing and correctingrecords maintained about them by intelligence agencies, or learning towhom those records have been disclosed.

S. 1803, Intelligence Authorization Act for Fiscal Year 2006:

EPIC's Privacy Act of 1974 Page:

European Court's Top Advisor: Sharing Passenger Data with DHS ImproperThe Advocate General of the European Court of Justice called for theannulment of the May 2004 Passenger Name Records agreement between EUand US authorities. The agreement requires airlines flying from the EUto the US to disclose their passengers' personal information, includinge-mail and credit card details. The European Parliament complained withthe Court later that year that the agreement did not sufficientlyprotect European travelers' privacy rights. Any eventual ruling by theCourt, which follows the Advocate General's opinion 80% of the time, maycall other EU anti-terrorism measures into question, as a data retentionproposal now for review before EU institutions (see item

[5] above) isbeing carried out under the same legal basis as the Passenger nameRecords agreement. The Court's final decision is expected next spring.

EPIC's EU-US Airline Passenger Data Disclosure page:

EPIC's Data Retention page:

FTC Study Shows Filters, Masking Help Reduce SpamIn a report released on November 28, the Federal Trade Commission foundthat using spam filtering technologies and techniques such as "masking"
helps reduce the volume of unsolicited emails that consumers receive.
Researchers created 150 email accounts, some with spam filters, and somewithout, and posted the addresses at various places on the Internet. Thestudy showed that Internet service providers that use spam filtersreduced spam by 86-95% over a five-week period. Masking, a technique bywhich email addresses are presented in a human-readable, but notmachine-readable form (for instance, by displaying "epic-info AT epicDOT org" instead of ""), was found to be highlyeffective. Four masked addresses received one spam message over afive-week period, while four unmasked addresses received 6,416.

Results of the FTC Spam Study (pdf):

FTC Press Release:

EPIC's Spam page:

United Kingdom to Build System to Track All DriversThe United Kingdom is creating a system that will track every personusing its roadways and retain the data for at least two years, even ifthe driver has committed no offense. The system will link camerasurveillance systems, Automatic Number Plate Recognition technology, andpolice and motor vehicle databases. UK officials say the system will beused to find uninsured drivers, road tax evaders, and stolen cars, butalso for more serious crimes. The new system would add to GreatBritain's already-extensive surveillance system -- more than 4 millioncameras have been deployed throughout the country. It is estimated thatthe average Briton is seen by 300 cameras per day.

EPIC's Spotlight on Surveillance about Camera Systems:

Privacy and Human Rights 2004 on Video Surveillance:

[7] EPIC Bookstore: "The Glass Consumer"

Edited by Susanne Lace

"The Glass Consumer" sets out a lofty goal for itself: "to promote anambitious, sophisticated manifesto for the personal information economy,taking in but exploring broader terrain than privacy." It analyzes theissues of personal information not just in terms of individual privacy,but in terms of consumer protection and the preservation of socialbenefits. In doing so, it succeeds in refining the discourse on the useof personal information.

The bulk of the "The Glass Consumer" is a collection of essays writtenmostly by UK information policy experts, who provide a broad, ifoccasionally scattered, background of the many components of the debate.
Authorities in fields as diverse as marketing, privacy enhancingtechnologies, and health care law each give a reasoned view of theirparticular areas of expertise, with some hints as to how each authormight proceed. The actual policy debate between the authors' conflictingviews and assumptions, however, is left for the reader to conduct.

Dr. Lace references, but does not rely solely upon these backgroundchapters as she ends the book with an in-depth policy statement, settingforth the Council's agenda and recommendations for managing personalinformation in the future. This final part of the book describes themyriad issues and provides recommendations for future policy, gearedtowards the UK.

These recommendations include promoting the use of privacy enhancingtechnologies, and granting stronger enforcement and auditing powers forthe Office of the Information Commissioner. The book also suggests amajor review of the European Commission's Data Protection Directive,including clarification of key terms, requiring opt-in provisions acrossall sectors, requiring separation between public and private sectordatabases, and increasing access rights, to allow consumers to find outwhich organizations have obtained personal information. Increasedconsumer information is also stressed, such as a data breachnotification modeled after California's security breach law.

As extensive as the recommendations are,they still cannot address all ofthe vast issues raised in earlier chapters, and "The Glass Consumer" mayraise more questions than it answers, but as technology and policy moveforward, raising and framing these questions is a necessary step. Byprecisely articulating the debate on the personal information economy,
"The Glass Consumer" does the its readers, and the field of informationprivacy, a great service.

-- Sherwin Siy

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides anoverview of key privacy topics and reviews the state of privacy in over60 countries around the world. The report outlines legal protections,new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacyand data protection ever published.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed to learn how to litigate them), this is an essential referencemanual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism Prevention Act, and theCAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumers andthe basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although several governmentsare gaining new powers to combat the perceived threats of encryption tolaw enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For more information:

Regulating Search: a Symposium on Search Engines, Law, and PublicPolicy. Yale Information Society Project, Yale Law School. December 3,
2005. New Haven, Connecticut. For more information:

Committee Meeting of the Department of Homeland Security's Data Privacyand Integrity Advisory Committee. Department of Homeland Security.
December 6, 2005. Washington, DC. For more information:

Cutting Edge Issues in Technology Law Confrence. Law SeminarsInternational. December 8-9, 2005. Seattle, Washington. For moreinformation:

Meeting of the Information Security and Privacy Advisory Board. NationalInstitute of Standards and Technology. December 6-7, 2005. Rockville,Maryland. For more information:

Ensuring Privacy and Secuurity of Consumer Information. AmericanConference Institute. January 26-27, 2006. New York, New York. For moreinformation:

Privacy in the Information Age: Databasese, Digital Dossiers, andSurveillance. High Tech Law Institute, Santa Clara University. January27, 2006. Santa Clara, California. For more information:

First International Conference on Availability, Reliability andSecurity. Vienna University of Technology. April 20-22, 2006. Vienna,Austria. For more inofrmation:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC IrvineInstitute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Oshawa, Ontario, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback