WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 5

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.04 [2005] EPICAlert 5


Volume 12.04 February 26, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Urges ChoicePoint To Give Access to 145,000 Victims
[2] California School Drops RFID Tracking Program After EPIC Protest
[3] EPIC Opposes Sharp Increase in TSA Surveillance Spending
[4] EPIC Comments on DC Metro's Public Access to Records Policy
[5] Bipartisan Legislation Introduced to Enhance Open Government
[6] News in Brief
[7] EPIC Bookstore: Michael Chesbro's Privacy Handbook
[8] Upcoming Conferences and Events

[1] EPIC Urges ChoicePoint To Give Access to 145,000 Victims

Following the extraordinary news this week that ChoicePoint soldpersonal information on at least 145,000 Americans to a criminal ringengaged in identity theft, EPIC urged the company to make available tothose whose personal information was negligently disclosed the sameinformation made available to the crooks. "It is not only a matter offairness, but also a critical public safety concern that theseindividuals have in their possession the same information about themthat you gave to criminals," said the February 18 letter from EPIC.

ChoicePoint sent out letters to California residents notifying them ofthe wrongful disclosure of their personal information because of aCalifornia state requirement. Following a letter from 38 stateattorneys general urging the company to make similar notifications toindividuals across the country, ChoicePoint sent out letters to145,000 potential victims of identity theft across the country.

California police have reported that the criminals used theChoicePoint data to make unauthorized address changes on at least 750people, and investigators believe that personal information of up to400,000 people nationwide may have been compromised.

EPIC also urged the company to "disgorge the funds that you obtainedfrom the sale of the data and make these funds available to theindividuals who will suffer from identity theft as a result of thisdisclosure." ChoicePoint sold the accounts for fees of $100 to $200.
ChoicePoint CE0 Derek Smith recently said the company has not yetdecided if it will help defray expenses for consumers whose recordsmay have been compromised.

Since 2001, EPIC has investigated commercial data aggregators suchas ChoicePoint, which collect personal information on individualsand sell the data to third parties. In a December 16, 2004,complaint to Federal Trade Commission, EPIC urged the commission todetermine whether ChoicePoint and other data brokers comply with theFair Credit Reporting Act and also asked whether it will benecessary to update the federal privacy laws to take account of newbusiness practices. In an exchange of letters with EPIC in January,ChoicePoint stated that its auditing procedures were sound and therewas no reason for the FTC to investigate.

The negligent sale of detailed personal information by the country'slargest information broker underscores the need for the FTC to makecertain that ChoicePoint and other data brokers are conductingbusiness in compliance with federal privacy laws. Congressionallawmakers have called for an investigation into the collection andsales practices of data brokers such as ChoicePoint.

EPIC's reply to ChoicePoint's letter on FCRA:

For more information, visit EPIC's ChoicePoint page:

[2] California School Drops RFID Tracking Program After EPIC Protest

Last week, Brittan Elementary School in Sutter, Calif., abandoned anRFID tracking pilot program after InCom, the company which developedthe technology, pulled out of its agreement with the school. (See EPICAlert 12.03.) In mid-January the school started requiring its studentsto wear radio frequency identification badges that tracked everystudent's movements in and around the school on a real-time basis anddisplayed the child's picture, name, grade and class year.

Two weeks ago, EPIC, along with the Electronic Frontier Foundation andACLU-Northern California, urged the Brittan School officials in ajoint letter to terminate the program. The letter argued that theprogram raised serious safety and civil liberties implications and,most importantly, breached children's right to privacy and dignity bytreating them like cattle or pieces of inventory.

Soon after the letter was sent and a meeting for parents took place todiscuss the issue with the school administration, the media all aroundthe country began reporting about the tracking system and its risksfor privacy, parents' threats of lawsuits and protests, and theinvolvement of civil liberties groups, which eventually pushed InComto call off the testing at the Brittan School.

EPIC's press release:
EPIC-ACLU-EFF joint letter to the Brittan School Board:
For more information about how RFIDs affect children, visit EPIC'sChildren and RFID Systems Page:

[3] EPIC Opposes Sharp Increase in TSA Surveillance Spending

EPIC submitted a letter to the Senate Committee on Commerce, Scienceand Transportation voicing its strong opposition to the significantincrease in federal funding for the Transportation SecurityAdministration's surveillance programs, such as its Secure Flightpassenger prescreening program, its Registered Traveler passengerprescreening program, and its Transportation Worker IdentityCredential program.

TSA has a history of failing to meet its legal obligations foropenness and transparency under the Freedom of Information Act andviolating the spirit of the Privacy Act. TSA has continued to place alow priority on the privacy rights of American citizens in thedevelopment of these surveillance programs.

TSA also has shown a proclivity to using personal information forreasons other than the ones for which the information was gathered orvolunteered, as evidenced by the TSA documents about the now-defunctCAPPS II passenger profiling program that EPIC obtained under FOIA.

TSA also has shown poor management of its financial resources, asCathleen Berrick, Government Accountability Office Director ofHomeland Security and Justice, testified at the Senate Committee onCommerce, Science & Transportation hearing concerning funding for TSAon February 15, 2005. Ms. Berrick testified that in Fiscal Year 2005,TSA was forced to transfer about $61 million from its Research andDevelopment budget of $110 million, to support its operations, such aspersonnel costs for screeners.

EPIC letter to the Senate Committee on Commerce, Science &

For more information about the proposed Fiscal Year 2006 budget, seeEPIC's U.S. Domestic Spending on Surveillance Page:

For more information about travelers' privacy rights, see EPIC'sPassenger Profiling Page:

[4] EPIC Comments on DC Metro's Public Access to Records Policy

In December 2004, the Washington Metropolitan Area Transit Authority'sboard (Metro) requested changes to its new Public Access to RecordsPolicy (PARP) and Privacy Policy. Both documents were available forcomments until February 14, and Metro has committed that it will takethe suggestions into account before releasing its final policies.

EPIC has submitted comments on both policies. Compared to theirearlier versions, they generally better protect the privacy of Metroriders, while allowing the public and the media to get improved accessto information about Metro. The new PARP offers more rights torequesters and its amendments are closer in spirit to the federalFreedom of Information Act. As an example of the positive changes, thenew PARP provides information requesters with a right ofadministrative appeal and judicial review to challenge denials.

However, a few PARP provisions may allow Metro to deny informationaccess requests for illegitimate reasons, which could in turn precludeadequate public oversight of its activities and prevent meaningfulaccountability. For example, under the current policy, Metro officialswould have to refuse requesters the disclosure of any records that arerelated to the SmarTrip program, no matter whether they identify anindividual or not. The information exempted from disclosure couldinclude policy documents, and generally all records likely to --
without divulging SmarTrip users' personal information --
significantly contribute to public understanding of the operations oractivities of Metro and its SmarTrip program.

Metro's SmarTrip program involves the use of a permanent, rechargeablefarecard embedded with a special computer chip that keeps track of thecard's value and travel itineraries. It allows Metro to know where anyof its riders has gone within its transportation network at any givenmoment and to match these records with the rider's name, address andcredit card.

Metro's new Privacy Policy would disclose its riders' personalinformation (including all SmarTrip information) upon a writtenrequest from the head of any federal, state or local government agencyin the context of a specific civil or criminal law enforcementactivity. EPIC made it clear in its comments that the disclosure byMetro of personal information to a government agency requires a courtorder as well as adequate accounting of the disclosure.

EPIC's comments to DC Metro:
New Metro PARP and Privacy Policy:

[5] Bipartisan Legislation Introduced to Enhance Open Government

Senators John Cornyn (R-TX) and Patrick Leahy (D-VT) recentlyintroduced the "Openness Promotes Effectiveness in our NationalGovernment Act," legislation that will improve governmentaccountability by expanding and fortifying the Freedom of InformationAct. Rep. Lamar Smith (R-TX) has introduced an identical companionbill in the House.

The OPEN Government Act would add teeth to the FOIA by encouragingagencies to release information in a timely manner. The law wouldrequire agencies to assign tracking numbers to requests within 10 daysof receipt. Agencies would also be obligated to create telephone orInternet services to allow individuals to track the status of theirrequests and estimated completion times for processing. Agenciesfailing to respond to a request within 20 days would lose the right towithhold information unless they could show good reason for the delay,or if disclosure would endanger national security, reveal personal orproprietary information, or violate the law.

The OPEN Government Act would also broaden the rights of requesters.
The legislation would expand the definition of news media requestersso that smaller, nontraditional media such as Internet bloggers wouldbe entitled to fee waivers under the FOIA. The bills would also makeit easier for requesters to recover attorneys fees and court costs ifforced to sue the government under the FOIA to obtain documents.

The OPEN Government Act would also enhance oversight by requiringagencies to submit more detailed reports on how they handle FOIArequests. Furthermore, the Comptroller General would be required toexamine and report on the Department of Homeland Security'swithholding of critical infrastructure information provided by privatecompanies.

In addition, the proposed law would expand the FOIA to covergovernment records maintained by private companies. It also wouldcreate an Office of of Government Information Services to overseeagencies' FOIA processing procedures and mediate disputes.

The Senate bill has been referred to the Judiciary Committee. Asubcommittee hearing on the bill is expected in mid-March.

More information about the OPEN Government Act, S. 394, is availableat:

For more information about the Freedom of Information Act, see EPIC'sOpen Government Page:

[6] News in Brief

Accountability Office Weighs In on US-VISIT, Secure FlightThe Government Accountability Office recently released a report on theDepartment of Homeland Security's planned expenditures for US-VISIT inthe coming year and compliance with recommendations the officepreviously made for program. The report concluded that DHS has madesome progress satisfying requirements for the program determined byCongress, but much remains to be done. Among other things, the officefound that the agency has not conducted a security risk assessment ofthe program, and has no anticipated date for completing one.
Furthermore, the GAO noted that the most recent privacy impactassessment for US-VISIT does not fully comply with the Office ofManagement and Budget's guidance for conducting such evaluations.

The GAO has also issued a report examining the Transportation SecurityAdministration's measures for testing the use of commercial datawithin Secure Flight, the agency's passenger prescreening programcurrently under development. The report determined that the agency hasdeveloped preliminary measures for concept testing, but further reviewwill be needed to determine "if the measures are designed to identifyrelevant impacts on aviation security, and reflect attributes ofsuccessful performance measures for that purpose."

Government Accountability Office, Homeland Security: Some ProgressMade, but Many Challenges Remain on U.S. Visitor and ImmigrationStatus Indicator Technology Program:

Government Accountability Office, Aviation Security: Measures forTesting the Impact of Using Commercial Data for the Secure FlightProgram:

For more information about US-VISIT, visit EPIC's US-VISIT Page:

For more information about aviation security measures, visit EPIC'sPassenger Profiling Page:

EPIC Files Comments on FTC's COPPA Rule ChangeEPIC submitted comments to the Federal Trade Commission on itsproposal to weaken the Children's Online Privacy Protection Act'sparental notice requirements. EPIC challenged the underlyingassumptions presented by the FTC in its proposal to make permanent the"Sliding Scale 2005" which addresses parental communications regardingtheir children's online activity.

EPIC has had a long-standing interest in children's online privacy andwas one of the first organizations to support the effort to improvethe Internet privacy of children.

EPIC Comments to the FTC are available at:
For more information, visit EPIC's Children's Online PrivacyProtection Act Page:

EPIC Submits Views to NIST on Federal ID Privacy ConcernsEPIC submitted comments to the National Institute of Science andTechnology (NIST) on "Special Publication 800-73" titled "Interfacesfor Personal Identity Verification," to warn of the potential to domore harm than good if important considerations like federal employeeprivacy and third party use of a broadly used federal employment IDare not taken into consideration during the development phase. EPICalso warned that agencies should not use employee's social securitynumbers as part of the identification system for these proposedfederal identification documents. Last month EPIC testified at ahearing held by NIST and the Office of Management and Budget. EPICconcluded that the proposed Personal Identity Verification for Federalemployees and contractors does not take privacy protections intoaccount.

EPIC Comments to NIST are available at:

EPIC's Testimony to NIST is available at:

For more information on workplace privacy, see EPIC's WorkplacePrivacy Page:

Senate Unanimously Passes Genetic Nondiscrimination BillThis week the US Senate unanimously passed the Genetic InformationNondiscrimination Act of 2005, which prohibits employers from usinggenetic information in employment decisions and insurance companiesfrom denying coverage or basing premium rates on that data. The billalso establishes privacy protections for genetic information held byemployers, employment agencies, labor organizations, and others. Lastyear, a similar bill was passed in the Senate but died in the House.

For more information on bill S.306:

For more information see EPIC's Genetic Privacy Page:

Anti-Spyware Bill Would Exempt Software CookiesThe House Subcommittee on Commerce, Trade and Consumer Protection hasapproved the Spy Act, anti-spyware legislation. The Spy Act aims toprevent spyware purveyors from hijacking a Web site's home page ortracking users' keystrokes. It only allows for the collection ofpersonal information after express consent from users. The legislationalso requires that spyware programs be easily identifiable andremovable.

But subcommittee chairman Clifford Stearns (R-FL) attached anamendment that would exempt software cookies, including third-partycookies, from the spyware definitions covered by the legislation.
Embedded ads on web pages would also be exempted from thelegislation's requirements that online ads include identifyinginformation so consumers can find and remove the software causingthem. The legislation now goes to the full Commerce Committee for avote.

More information about the Spy Act, H.R. 29, is available at:

For more information on Internet privacy and cookies, see EPIC'sInternet Privacy Page:

Federal Government's Cyber-Security Fails to Make the GradeFor the fifth straight year, at least half of all federal agenciesreceived a grade of "D" or worse on the House Government ReformCommittee's annual cyber-security report card. The Department ofHomeland Security and seven other agencies each received an "F." Thefederal government received an overall grade of "D-plus," upslightly from last year's "D" and 2002's "F."

The full report card is available at (pdf):
For more information, see EPIC's Online Guide to Practical PrivacyTools:

US Government Agency Directs .us to End Anonymous Domain RegistrationThe US Department of Commerce National Telecommunications andInformation Administration (NTIA) has directed Neustar, the companythat runs .us, to prohibit anonymous or proxy domain registration.
This direction by the NTIA is intended to create a complete andaccurate WHOIS database. What this does, however, is ensure thatregistrants' data including such personal information as address andphone number will be made publicly and anonymously accessible toanyone online including spammers and marketers.

For more information, see EPIC's WHOIS Page:

[7] EPIC Bookstore: Michael Chesbro's Privacy Handbook

Michael Chesbro, Privacy Handbook: Proven Countermeasures forCombating Threats to Privacy, Security, and Personal Freedom (PaladinPress 2002)."'Those who would give up essential liberty to purchase safety,'
stated Benjamin Franklin in 1759, 'deserve neither liberty norsafety.' Unfortunately, in today's climate of fear, the government,the media and plenty of other American citizens see thingsdifferently. If you are not willing to accept "some restrictions incivil liberties to guarantee security," (as Tom Brokaw and others havephrased it), this book is essential reading. In it, Michael Chesbroshares hundreds of simple but effective measures you can take - shortof armed revolution - to preserve your privacy and sovereignty in theface of Big Brother run amok. By being aware of the various threats tofinancial privacy, computer and online security, privatecommunications, home security and more, and by employing thesetechniques to combat them, you can protect yourself from roguegovernment agents and meddling bureaucracies as well as nosyneighbors, prying family members, identity thieves, stalkers,solicitors and other enemies of privacy and personal liberty."

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

The Concealed I: Anonymity, Identity, and the Prospect of Privacy. Onthe Identity Trail and the Law and Technology Program at theUniversity of Ottawa. March 4-5, 2005. Ottawa, Canada. For moreinformation: target="new">

The Health Information Technology Summit West. eHealth Initiative.
March 6-8, 2005. San Francisco. For more information:

IAPP National Privacy Summit 2005. International Association ofPrivacy Professionals. March 9-11, 2005. Washington, DC. For moreinformation:

O'Reilly Emerging Technology Conference. March 14-17, 2005. SanDiego, CA. For more Information:

Policy Options and Models for Bridging Digital Divides: Freedom,Sharing and Sustainability in the Global Network Society. March14-15, 2005. Project on Global Challenges of eDevelopment, HypermediaLaboratory, University of Tampere. Tampere, Finland. For moreinformation:

2005 National Freedom of Information Day Conference. First AmendmentCenter. March 16, 2005. Washington, DC. For more information:

7th International General Online Research Conference. GermanSociety for Online Research. March 22-23, 2005. Zurich, Switzerland.
For more information: target="new">

The 2005 Nonprofit Technology Conference. Nonprofit TechnologyEnterprise Network. March 23-25, 2005. Chicago, IL. For moreinformation: target="new">

The Global Flow of Information Conference 2005. Information SocietyProject at Yale Law School. April 1-3, 2005. New Haven, CT. Formore information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
April 4-8, 2005. Mar del Plata, Argentina. For more information:

VoIP World Africa 2005. April 5-7, 2005. Terrapinn. Johannesburg,South Africa. For more information:

RFID Journal LIVE! 2005. April 10-12. Chicago, IL. For moreinformation:

CFP2005: Fifteenth Annual Conference on Computers, Freedom andPrivacy. April 12-15, 2005. Seattle, WA. For more information:

2005 IEEE Symposium on Security and Privacy. IEEE Computer SocietyTechnical Committee on Security and Privacy in cooperation with TheInternational Association for Cryptologic Research. May 8-11, 2005.
Berkeley, CA. For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information ProcessingSystems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005. Luxembourg City, Luxenbourg. For more information:

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information:

PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:

5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: target="new">

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback