WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 6

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.05 [2005] EPICAlert 6


Volume 12.05 March 11, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Launches West Coast Office, Continues to Probe ChoicePoint
[2] New Report: FTC Market Approach Fails to Protect Consumer Privacy
[3] "Spotlight on Surveillance" Highlights Federal Spending on Snooping
[4] EPIC Urges Careful Scrutiny of Proposed Federal Profiling Agency
[5] Comments Outline Voter Registration Problems in the 2004 Election
[6] News in Brief
[7] EPIC Bookstore: William S. Hubbartt's Workplace Privacy
[8] Upcoming Conferences and Events

[1] EPIC Launches West Coast Office, Continues to Probe ChoicePoint

EPIC launched a West Coast Office this month. The office, located indowntown San Francisco, will focus on state-based initiatives toenhance consumer privacy. Chris Jay Hoofnagle, formerly AssociateDirector in EPIC's Washington office, will direct the new EPIC Westoffice.

California and other states have developed innovative strategies toprivacy protection for Social Security numbers, identity theft, anddirect marketing. For instance, California's security breach noticelaw was responsible for forcing ChoicePoint to reveal its recent saleof personal information to criminals. EPIC West will leverage thatCalifornia law and others to promote model privacy protections for theentire nation.

Serious questions continue to surround the sale of personal informationto criminals by ChoicePoint, a commercial data broker. Last week, itwas revealed that ChoicePoint had also sold personal information tocriminals in 2002. This week, security breaches were announced bycommercial data broker Seisint, and by retailer DSW Shoe Warehouse.
The continued news of new and old breaches has shifted the debate inWashington from one where Congress was discussing whether a problemexists, to one where legislators are focusing on what should be done.
Hearings on ChoicePoint will be held within the next week in the SenateBanking Committee and the House Commerce and Ways and Means Committees.

Daniel J. Solove, a professor at the George Washington School of Law,and Hoofnagle have published a proposal to address commercial databrokers, and are requesting comment from the public on the draft. The"Model Privacy Regime" proposes sixteen reforms, including arequirement that all commercial data brokers register with the FederalTrade Commission so that individuals can learn about how theirinformation is used, gain access to it, and exercise other rights.
Because companies such as ChoicePoint trade in the same personalinformation that is used for passwords in the credit system, theproposal includes a call for a credit freeze right -- the ability of anindividual to prevent release of a credit report without specificconsent. Also included in the regime is a requirement for lawenforcement to comply with specific procedures before gaining access toa commercial data broker report on an individual. Under current laws,including the Fair Credit Reporting Act, law enforcement cannot gainaccess to reports without showing a specific need; they should not beable to get the same information from a commercial data broker withoutcomplying with a similar set of procedures.

Model Privacy Regime for Commercial Data Brokers proposed by Solove andHoofnagle:

For more information, see EPIC's ChoicePoint Page:

Big Brother's Little Helpers: How ChoicePoint and Other Commercial DataBrokers Collect, Process, and Package Your Data for Law Enforcement:

[2] New Report: FTC Market Approach Fails to Protect Consumer Privacy

In a policy report released last week, EPIC called upon the FederalTrade Commission to abandon its self-regulatory approach to Internetprivacy. For ten years, the FTC has maintained its faith in marketapproaches to privacy, while business practices have become steadilymore invasive. Self-regulation has led to a decade of disappointment;
one where Congress has been stalled and the public anesthetized, asprivacy practices have steadily worsened.

The report argues that the FTC is capable of creating reasonable andeffective privacy protections, as evidenced by the agency's Do-Not-Calltelemarketing registry. Prior to the creation of the Registry, thetelemarketing industry created self-regulatory protections that werelargely useless. One had to write a letter to opt out oftelemarketing, or pay to opt out by giving her credit card number tothe Direct Marketing Association (DMA). The industry's self-regulatoryefforts didn't even cover all telemarketers -- only those that weremembers of the DMA. At its peak, the self-regulatory opt-out systemhad less then 5 million enrollments. The FTC's regulatory approach totelemarketing took the opposite approach in every fashion. It is freeand easy to enroll in the government-created list, it applies to almostall telemarketers, and its effectiveness is obvious -- the dinner houris preserved for the 80 million numbers enrolled in the Registry.

Just as the market failed to provide adequate protections against the20th century problem of telemarketing, self-regulation is failing toaddress the 21st century problems in electronic commerce. New trackingtechnologies exist that individuals are unaware of, and old trackingtechnologies continue to be employed. Some companies deliberatelyobfuscate their practices so that consumers remain in the dark.
Spyware has developed and flourished under self-regulation. Emergingtechnologies represent serious threats to privacy and are not addressedby self-regulation or law. And, while self-regulatory bodies havebusied themselves with the drafting of "short privacy notices," theyhave not produced a single viable anonymous payment mechanism fore-commerce.

The report also notes that the worst identification and trackingpolicies from the online world are finding their way into the offlineworld. In other words, the lack of protection for privacy online notonly has resulted in a more invasive web environment, but has alsostarted to drag down the practices of ordinary, offline retailers. Forinstance, offline retailers are engaging in more extensive profiling ofcustomers, including collection of information that allows businessesto "fire" customers who complain too much.

The EPIC report concludes by urging the FTC to rethink the developmentsof the past ten years in Internet privacy, and consider a baseline ofprivacy protection for individuals that are consistent with FairInformation Practices.

EPIC Report: Privacy Self-Regulation, A Decade of Disappointment:

A high-resolution PDF version of the report features advertisements forpersonal data sold by major companies, including Victoria's Secret and1-800-FLOWERS:

[3] "Spotlight on Surveillance" Highlights Federal Spending on Snooping

President Bush's proposed $2.57 trillion federal budget for Fiscal Year2006 greatly increases the amount of money spent on surveillancetechnology and programs while cutting about 150 programs -- most ofthem from the Department of Education. EPIC has launched a new projectcalled "Spotlight on Surveillance" which will scrutinize thesesurveillance programs.

This month, "Spotlight on Surveillance" shines on Customs and BorderProtection's "America's Shield" initiative and finds that it is riddledwith holes. The agency seeks $51.3 million in Fiscal Year 2006 forthis program, an upgrade of the existing Integrated SurveillanceIntelligence System. America's Shield received $88.1 million in 2005and the agency's estimate in August 2004 was that full budget requeststhrough 2010 would add up to $2 billion.

America's Shield uses video and sensor surveillance technology to watchover America's borders in cities such as San Diego, California, andDetroit, Michigan. There are substantial problems with the America'sShield initiative -- most significantly, the program's sensor equipmentwastes time and money because it cannot distinguish between humans andanimals. This increase in spending on surveillance and monitoringsystems has not helped the agency's bottom line. In 2000, the agencymade 1.6 million apprehensions; every year since then the number hassteadily fallen, now hovering around half that amount.

For more information, see EPIC's Spotlight on Surveillance Page:

EPIC's U.S. Domestic Spending on Surveillance Page:

[4] EPIC Urges Careful Scrutiny of Proposed Federal Profiling Agency

In a letter to a House subcommittee, EPIC urged careful scrutiny of theDepartment of Homeland Security's proposed Office of ScreeningCoordination and Operations (SCO). EPIC explained to the HouseSubcommittee on Economic Security, Infrastructure Protection, andCybersecurity that this proposed federal profiling agency would overseevast databases of digital fingerprints and photographs, eye scans andpersonal information from millions of American citizens and lawfulforeign visitors.

Homeland Security is requesting $847 million to finance SCO in FiscalYear 2006. The agency would house several of the TransportationSecurity Administration's current surveillance programs, includingRegistered Traveler, United States-Visitor and Immigrant StatusIndicator Technology (US-VISIT), Free and Secure Trade, NEXUS/SecureElectronic Network for Travelers Rapid Inspection, TransportationWorker Identity Credential, Hazardous Materials Trucker BackgroundChecks, and Alien Flight School Checks.

EPIC's letter stated that "[t]his mass compilation of personalinformation has inherent dangers to citizens' privacy rights and it isimperative that SCO fulfill its legal obligations for openness andtransparency under the FOIA and Privacy Act." Homeland Security hasannounced that the office's operations would be conducted in a mannerthat safeguards civil liberties, but the agency has not yet explainedhow it proposes to protect privacy rights or ensure accountability.
EPIC urged the subcommittee to press the agency to openly andtransparently explain how it intends to safeguard American citizens'
privacy rights under the proposed federal profiling agency.

EPIC letter to the House Subcommittee on Economic Security,Infrastructure Protection, and Cybersecurity:

For more information about the proposed Fiscal Year 2006 budget, seeEPIC's U.S. Domestic Spending on Surveillance Page:

[5] Comments Outline Voter Registration Problems in the 2004 Election

EPIC submitted comments to the Election Assistance Commission on aplanned survey of states to determine their performance under NationalVoter Registration Act requirements. The Federal Register announcementpublished on February 22 by the commission set the deadline for receiptof comments by February 25. EPIC offered insight into the manyproblems experienced by voter registration systems and made specificrequests for the gathering of data from the states.

EPIC's comments warned about the lack of transparency in the voterregistration process and a need for safeguards for voter privacy.
There were a number of instances where the easy access to voterregistration information may have facilitated attempts at identitytheft. Some of the other problems may include, but are not limited to,poor administration of voter registration, uncertainty about voterregistration status, and third party voter registration efforts.

State voter registration rolls have experienced management andadministration problems as evidenced by numerous newspaper reportsduring last year's election. The Election Protection efforts that usedthe online Election Incident Reporting Systems to record votercomplaints during the 2004 election logged over 14,000 voterregistration related complaints.

These voter registration problems predate 2004. In 2000 Florida wasgiven a list of 8,000 names from a data broker -- since acquired byChoicePoint -- which incorrectly identified them as having felonyconvictions in the state of Texas. This is only one of the many errorsdiscovered on the purge list used in that, and other, states during the2000 Presidential election. In 2004 some of the same problemsreoccurred when Accenture provided the felon purge list containing47,763 names. This list was later found to have many errors, forcingit to be discarded.

The issue that EPIC is monitoring involves provisions of the HelpAmerica Vote Act, which requires every state to adopt astatewide-centralized voter registration list that will allow access toeach election official within the state, comparisons of records withmotor vehicle records, and the Social Security Administration for thosewithout state identification. The solution that some states arepursuing involves the outsourcing of this requirement to privatecontractors. Data brokers like Accenture, which has netted a number ofstate contracts for this work to centralize voter registration lists,have Florida, Pennsylvania, Wisconsin, and Colorado as clients.

EPIC comments to the Election Assistance Commission:
For more information, see EPIC's Centralized Voter RegistrationDatabase Page:

EPIC's Voting Page:

[6] News in Brief

Senators Propose Bill to Examine Delays in FOIA ProcessingSenators John Cornyn (R-TX) and Patrick Leahy (D-VT) have introducedthe Faster FOIA Act, legislation that will create a sixteen-memberadvisory commission to examine the efficacy of the Freedom ofInformation Act. The commission would be tasked with suggesting waysto decrease delays in the processing of Freedom of Information Actrequests, as well as studying whether the system for charging fees andgranting fee waivers causes delays in processing. The commission wouldbe required to issue a report to Congress on its findings.

In related news, the Senate Judiciary Committee's Subcommittee onTerrorism, Technology and Homeland Security will hold a hearing on theOPEN Government Act on March 15. The bill, proposed by Sens. Cornynand Leahy last month, would improve government accountability byexpanding and fortifying the Freedom of Information Act (see EPICAlert 12.04).

The Faster FOIA Act:

For more information, see EPIC's Open Government Page:

Bank of America Loses 1.2 Million Federal Employees' Personal DataOn February 25, Bank of America confirmed that it had lost "a smallnumber of computer data tapes" during shipment in December 2004containing charge card program and account information on 1.2 millionfederal workers. The personal information on the tapes included names,addresses and Social Security Numbers, leaving individuals prone toidentity theft. Bank of America did not specify how the tapesdisappeared, but Senator Charles E. Schumer (D-NY) said he was told thedata backup tapes were likely stolen off a commercial plane by baggagehandlers. It is unclear whether Bank of America encrypted the personaldata before shipping it on tapes to its backup data center.

People who may have been affected have been advised to monitoractivities on their accounts, but Bank of America does not offer a freecredit report monitoring service to them. Sen. Susan Collins (R-ME)
has called for Bank of America to detail the bank's actions to ensurethe safety of federal credit cardholders' personal data.

Bank of America press release:

32,000 Americans at Risk After Data Broker's Security BreachData broker LexisNexis announced that its subsidiary, Seisint, may haveallowed criminals to access sensitive information on 32,000 U.S.
citizens, including names, addresses, Social Security and driver'slicense numbers. Seisint is a Florida firm that sells data amassedfrom public records to law enforcement agencies, businesses, privateinvestigators, and others. Seisint is also responsible for theMultistate Anti-Terrorism Information Exchange Program (MATRIX), acontroversial law enforcement data mining program that has flounderedin recent months due in part to privacy concerns.

Seisint's security breach comes on the heels of two other data accessscandals. A month ago, it was revealed that data broker ChoicePointsold data on 145,000 people to a criminal ring engaged in identitytheft. Just two weeks ago Bank of America announced that data tapescontaining personal information on 1.2 million federal employees wereeither stolen or lost in late December.

For more information on MATRIX, visit:

For more information, see EPIC's ChoicePoint Page:

For more information, see EPIC's Financial Privacy Page:

Agency Upholds Dismissal of EPIC's Claims Against NorthwestThe Department of Transportation has affirmed its dismissal of EPIC'scomplaint against Northwest Airlines, concluding that "an enforcementaction is not in the public interest." EPIC had argued that theairline violated its privacy policy by disclosing millions of passengerrecords to NASA for use in a data mining study, thus committing anunfair and deceptive trade practice.

Department of Transportation Order Affirming Dismissal:
For more information, see EPIC's page on the Northwest disclosure:

EPIC Introduces New Web Page on Secure FlightEPIC has added a web page to its site focusing on the TransportationSecurity Administration's Secure Flight passenger prescreening proposal.
The page provides the latest news on the controversial program,discusses its history, and describes its current status. The page alsoprovides resources on Secure Flight from the Transportation SecurityAdministration and the Government Accountability Office's recent reporton measures for testing the use of commercial data within Secure Flight.

EPIC's Secure Flight Page:

[7] EPIC Bookstore: William S. Hubbartt's Workplace Privacy

William S. Hubbartt, The New Battle over Workplace Privacy: How Far CanManagement Go? What Rights Do Employees Have? Safe Practices to MinimizeConflict, Confusion, and Litigation (American Management Association1998).

"Employers need to protect themselves from workers whose behaviordamages the company. Does that give them the right to conduct randomdrug tests, read employees' e-mail, search desk drawers, and monitoroff-the-job activities?

"Workplace privacy issues are complex -- many employers are confusedabout their legal and ethical rights. The New Battle Over WorkplacePrivacy provides critical information to help companies createappropriate policies and practices. Through case examples, highlightsof state and federal laws, checklists, and sample policies, this bookshows a company how to:

" -- protect itself from employee theft, substance abuse, and other misconduct -- stay within legal bounds by learning what laws are (and aren't) in place -- avoid litigation -- and win the cases that do go to court."

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the SunshineAct, and the Federal Advisory Committee Act. The 22nd edition fullyupdates the manual that lawyers, journalists and researchers haverelied on for more than 25 years. For those who litigate opengovernment cases (or need to learn how to litigate them), this is anessential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2003: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price:

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and international privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

O'Reilly Emerging Technology Conference. March 14-17, 2005. SanDiego, CA. For more Information:

Policy Options and Models for Bridging Digital Divides: Freedom,Sharing and Sustainability in the Global Network Society. March 14-15,
2005. Project on Global Challenges of eDevelopment, HypermediaLaboratory, University of Tampere. Tampere, Finland. For moreinformation:

2005 National Freedom of Information Day Conference. First AmendmentCenter. March 16, 2005. Washington, DC. For more information:

Conference: Implementing PIPEDA: A Review of Internet PrivacyStatements and On-Line Practices. Centre for Innovation Law and Policyand Information Policy Research Program. March 18, 2005. Toronto,Ontario. For more information:

7th International General Online Research Conference. German Societyfor Online Research. March 22-23, 2005. Zurich, Switzerland. For moreinformation:

The 2005 Nonprofit Technology Conference. Nonprofit TechnologyEnterprise Network. March 23-25, 2005. Chicago, IL. For moreinformation:

The Global Flow of Information Conference 2005. Information SocietyProject at Yale Law School. April 1-3, 2005. New Haven, CT. For moreinformation:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
April 4-8, 2005. Mar del Plata, Argentina. For more information:

VoIP World Africa 2005. April 5-7, 2005. Terrapinn. Johannesburg,South Africa. For more information:

RFID Journal LIVE! 2005. April 10-12. Chicago, IL. For moreinformation:

CFP2005: Fifteenth Annual Conference on Computers, Freedom and Privacy.
April 12-15, 2005. Seattle, WA. For more information:

2005 IEEE Symposium on Security and Privacy. IEEE Computer SocietyTechnical Committee on Security and Privacy in cooperation with TheInternational Association for Cryptologic Research. May 8-11, 2005.
Berkeley, CA. For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information ProcessingSystems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005. Luxembourg City, Luxenbourg. For more information:

3rd International Human.SocietyInternet Conference. July 27-29, 2005.
Tokyo, Japan. For more information:

PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information: Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see orwrite EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback