WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 7

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.06 [2005] EPICAlert 7


Volume 12.06 March 24, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Calls for Regulation of Choicepoint; Coalition Demands Action
[2] Madrid Summit Urges Democratic Response to Threats of Terrorism
[3] Google's Gmail Subject of EPIC West Testimony in California Senate
[4] Transportation Biometric ID Raises Privacy Concerns; Review Urged
[5] EPIC Introduces EPIC FOIA Notes, 2005 FOIA Gallery
[6] News in Brief
[7] EPIC Bookstore: J.J. Luna's "How to Be Invisible"

[8] Upcoming Conferences and Events

[1] EPIC Calls for Regulation of Choicepoint; Coalition Demands Action

EPIC Executive Director Marc Rotenberg urged lawmakers to regulateChoicepoint and other data brokers in testimony last week before a Housesubcommittee on consumer protection. Mr. Rotenberg testified that thereis too much secrecy and too little accountability in the businessdealings of data brokers, and the Choicepoint debacle underscores theneed for federal regulation of the information broker industry.
Choicepoint recently admitted that it had sold personal information on145,000 people to a criminal ring involved in identity theft.

Congressional members questioned Choicepoint about its response to thesituation. Rep. Edward J. Markey (D-MA) asked Choicepoint to do more forthe 145,000 victims than the data broker has done. Choicepoint hasagreed to give the victims a year of free credit monitoring, but Rep.
Markey asked Choicepoint CEO Derek Smith to give "a lifetime monitoringservice and instant e-mail and postal alerts for each and every consumerhas been victimized as a result of Choicepoint's negligence." Rep.
Markey also asked Mr. Smith to give each victim "exactly what personalinformation was compromised and not this vague letter telling them thatit could include all of this, but we're not going to give you the exactinformation."

Mr. Smith did not immediately agree to extend the monitoring service forthe victims. However, Mr. Smith did agree to give "the specificinformation that was on that report that could potentially could havebeen used," to each victim that requested the information fromChoicepoint.

In December EPIC filed a complaint with the Federal Trade Commissionraising questions about Choicepoint and other data brokers' businesspractices. Rep. Markey asked FTC Chairman Deborah Platt Majoras if thecommission began to investigate Choicepoint after receiving EPIC'scomplaint. Chairman Majoras said that the FTC did not begin itsinvestigation of Choicepoint until later.

Rep. Markey expressed disappointment with the FTC's actions. "The pointI'm trying to make here is that I think that there was a warning, thatthere was information at the Federal Trade Commission, that the FederalTrade Commission has to be much more aggressive than it has been in thepursuit of the protection of the privacy of individuals. And this is theperfect example of where the Federal Trade Commission was not asaggressive as the American people would expect you to be," he said.

After the House subcommittee hearing, EPIC, Privacy RightsClearinghouse, PIRG, Privacy Times, and World Privacy Forum wrote toChairman Majoras, requesting that the agency reevaluate its positionconcerning Choicepoint and other commercial data brokers. The groupswrote that the FTC testimony at the hearing "was not well informed, anddid not adequately reflect the concerns of American consumers about thesale of their sensitive personal information."

The letter said that the FTC may be responsible for the growth of thecommercial data broker industry. In the 1990s, the FTC defined "creditreport" in such a way as to create the "credit header loophole." Thisloophole allowed many businesses to openly traffic in Social SecurityNumbers with no restriction at all, fueling the databases of companieslike Choicepoint. Also in the 1990s, in response to congressionalattention, commercial data brokers developed a weak self-regulatorysystem, known as the Individual Reference Services Group (IRSG)
Principles. The principles allowed commercial data brokers to sellSocial Security Numbers and other information to whomever they deemed"qualified." The principles contained no effective right to opt-out, noright to free access, no right of enforcement, and no right tocorrection. In light of the weak IRSG Principles, however, the FTC didnot call for substantive regulation of the industry.

EPIC's Testimony before the House Subcommittee on Commerce, Trade, andConsumer Protection (pdf):

Coalition Letter on FTC Choicepoint Testimony (pdf):

EPIC's December 2004 Complaint to the FTC:

Request your Choicepoint Background Check and Public Records and reportby visiting:


EPIC's Choicepoint page:

[2] Madrid Summit Urges Democratic Response to Threats of Terrorism

World leaders, policy experts, and civil society representativesgathered in Madrid, Spain, to commemorate the victims of the railwaytrain bombing of March 11, 2004 and to consider how democraticgovernments should best respond to the threat of future acts ofterrorism. The International Summit on Democracy, Terrorism, andSecurity concluded with the release of the Madrid Agenda. The statementis "an agenda for action for Governments, institutions, civil society,the media and individuals," and "[a] global democratic response to theglobal threat of terrorism." Among other recommendations, the leaders ofdemocratic governments proposed "[t]he creation of a global citizensnetwork, linking the leaders of civil society at the forefront of thefight for democracy from across the world, taking full advantage ofweb-based technologies and other innovative forms of communication."

At the closing plenary session UN Secretary General Kofi Annan urgedgovernments to safeguard human rights and the rule of law. Mr. Annansaid that "many measures which States are currently adopting to counterterrorism infringe on human rights and fundamental freedoms." Mr. Annanwarned that "compromising human rights cannot serve the struggle againstterrorism. On the contrary, it facilitates achievement of theterrorist's objective - by ceding to him the moral high ground, andprovoking tension, hatred and mistrust of government among preciselythose parts of the population where he is most likely to find recruits."

A special session on "Democracy, Terrorism and the Internet" issued adeclaration, "The Infrastructure of Democracy," urging governments tounderstand that an open Internet, like democratic government, providesthe best response to future acts of terrorism. According to thedeclaration, "The Internet is fundamentally about openness,participation, and freedom of expression for all -- increasing thediversity and reach of information and ideas." The declaration alsourged governments to avoid restrictions on anonymity, which "would behighly unlikely to stop determined terrorists, but would have a chillingeffect on political activity and thereby reduce freedom andtransparency."

The Varsavsky Foundation, in collaboration with the Spanish government,helped organize the event and supported civil society participation.

International Summit on Democracy, Terrorism, and Security:

The Madrid Agenda:

Speech of Kofi Annan:

The Infrastructure of Democracy:

The Infrastructure of Democracy (Spanish):

The Varsavsky Foundation:

The Public Voice:

[3] Google's Gmail Subject of EPIC West Testimony in California Senate

In testimony to the California Senate Judiciary Committee, EPIC WestDirector Chris Jay Hoofnagle argued that Google's Gmail service presentssignificant risks to personal privacy. Gmail is an advertising-supportede-mail system that offers 1 gigabyte of storage. The Gmail system readsthe actual content of e-mail and attachments in order to targetadvertising. While Google calls this process content "scanning," thecompany's patents use the phrase "content extraction" to describe theGmail model.

Mr. Hoofnagle argued that Gmail users bargain away their own privacy,but in doing so, also give away the privacy of non-subscribers. Thosewho send e-mail to Gmail users also experience content extraction butnever receive notice or consent to the process.

Many information collection programs originally performed for commercialpurposes are now used for law enforcement or anti-terrorism purposes,Mr. Hoofnagle said. In the 1990s, privacy advocates warned regulatorsthat direct marketers would turn over their information to thegovernment. Now we know that instead of turning it over, major directmarketing companies, including Acxiom and Choicepoint, actively sellpersonal information to the government. Similar risks exist with Gmail,although Google did not address those risks in its testimony. Instead,the company focused the debate on whether "personally identifiableprofiles" are created by content extraction. The company argues thatsince there is no data retention from content extraction, there is norisk to privacy. However, this argument ignores the risk that the Gmailsystem could change, either by the company's own initiative, or by courtorder sought by a law enforcement agency.

The ACLU of Northern California, also testifying at the hearing, arguedthat content extraction may reduce Fourth Amendment expectations ofprivacy. If a major online e-mail provider such as Google is allowed tomonitor private communications, even in an automated way, theexpectations of e-mail privacy may be eroded. These effects arelong-term and will undoubtedly outlive Gmail.

Google defends Gmail by stating that e-mail scanning is no differentthan virus scanning or spam interdiction. While it is true that there isno technical difference between these functions, there fundamental legaldifference. The law has long recognized that communications providersshould not peek into the contents of a message unless they have a validreason relating to the delivery of service. At the hearing, Google didnot address the legal difference.

EPIC Testimony on Gmail:


[4] Transportation Biometric ID Raises Privacy Concerns; Review Urged

In comments filed on March 18, EPIC urged the Transportation SecurityAdministration to delay its test of biometric technology fortransportation workers until it conducts a comprehensive Privacy ImpactAssessment. The assessment should allow the agency "to ensure protectionof the privacy rights of program members." EPIC said that the programmust comply with the federal Privacy Act and noted that there are uniqueproblems associated with biometric technologies.

The comments discussed EPIC's congressional testimony in July 2002,which explained these unique problems. "First, the uniqueness ofbiometric data is affected by time, variability and data collection.
This leads to the second problem: the technologies available are subjectto varying degrees of error, which means that there is an element ofuncertainty in any match. Third, there are several ways to circumvent abiometrics system," EPIC said in the comments.

EPIC also explained that there could be severe consequences for anindividual whose biometric identifier has been compromised. "It ispossible to replace a credit card or Social Security numbers, but howdoes one replace a fingerprint, voiceprint, or retina scan?" EPIC asked.

EPIC stated that allowing employees access to their records would helpensure the accuracy of the information collected and used. EPIC alsourged the agency to incorporate privacy protections into thedecision-making process so that the agency could avoid "later having toawkwardly, expensively, and inefficiently" adjust its biometrictechnology systems.

EPIC's March 18 Comments to the Transportation Security Administration:

EPIC's July 2002 Congressional Testimony:

EPIC's Biometrics page:

[5] EPIC Introduces EPIC FOIA Notes, 2005 FOIA Gallery

In celebration of Sunshine Week earlier this month, the ElectronicPrivacy Information Center launched EPIC FOIA Notes, a new onlinepublication that will help bring attention to secrecy in the federalgovernment.

EPIC FOIA Notes gives subscribers fast access to important documentsobtained by EPIC under the Freedom of Information Act, allowing users ofmobile devices to learn quickly about important open government news.
The publication also gives readers images of actual documents obtainedby EPIC under the FOIA. Links from a short text message go directly toa web page that provides information about the government's latestdisclosures, as well as links to other FOIA resources.

The first two editions of EPIC FOIA Notes highlighted documents recentlyobtained by EPIC from the FBI about data broker Choicepoint. Thedocuments were released as two Congressional hearings examinedChoicepoint's sale of personal information on 145,000 consumers tocriminals posing as legitimate businesses.

In honor of Freedom of Information Day on March 16, EPIC also publishedthe 2005 FOIA Gallery. The web page highlights scanned images of EPIC'smost compelling FOIA disclosures from the past year. Featured documentsinclude an e-mail EPIC obtained from NASA revealing that NorthwestAirlines gave the FBI a year's worth of passenger data after 9/11, aswell as documents showing that the Census Bureau gave the Department ofHomeland Security census data on Arab Americans.

Subscribe to EPIC FOIA Notes (please note that Alert subscribers willnot automatically receive the publication):

EPIC FOIA Notes #2: Choicepoint and FBI:

EPIC 2005 FOIA Gallery:

[6] News in Brief

FTC Makes Recommendations About RFID But Remains NoncommittalThe Federal Trade Commission (FTC) released a report outlining thecontents of a workshop on radio frequency identification technology(RFID) it held in June 2004. The FTC recommended that companies usingRFIDs should ensure that industry initiatives are "transparent," thatthe notice about the use of technology is "clear conspicuous andaccurate," and that consumers are notified if an RFID tag or reader ispresent and if the technology is being used to collect personallyidentifiable information. The agency's recommendations seemnoncommittal, however, and the agency does not appear to adopt a veryproactive role in protecting consumers' interests. The FTC insteadrelies on the RFID industry to come up with self-imposed guidelines,which usually lack penalties for noncompliance or effectiveaccountability and enforcement mechanisms.

Federal Trade Commission's Report, "RFID: Radio FrequencyIdentification: Applications and Implications for Consumers: A WorkshopReport From the Staff of the Federal Trade Commission":

EPIC's RFID page:

Full Senate to Consider Faster FOIA ActThe Senate Judiciary Committee voted unanimously during Sunshine Week tosend the Faster FOIA Act, S. 589, to the full Senate. If passed byCongress, the legislation would impanel a sixteen-member advisorycommission to examine how efficiently the Freedom of Information Actfunctions. The commission would propose ways to decrease delays in theprocessing of Freedom of Information Act requests, as well as determinewhether the system for charging fees and granting fee waivers causesdelays in processing. The commission would be required to report toCongress on its findings.

The Faster FOIA Act:

EPIC's Open Government Page:

Treasury Issues New Customer Notification Breach RegulationUnder new regulations that take effect immediately, financialinstitutions must develop response programs for incidents whereunauthorized access is gained to personal information. Institutions mustassess the incident, give notice to federal regulators whenever"sensitive" personal information is accessed, and take steps to "containand control" the incident to prevent further unauthorized access. When"the institution determines that misuse of its information about acustomer has occurred or is reasonably possible, it should notify theaffected customer as soon as possible."

Guidance on Response Programs for Unauthorized Access to ConsumerInformation (pdf):

EPIC and US PIRG Comments on Response Programs:

Links to Free Credit Report Site UnblockedIn a policy shift, the major credit reporting agencies have unblockedInternet links to the free credit report site,
Previously, the companies only accepted links from a few web sites, andprevented news organizations, state attorneys general, and consumergroups from providing web links to the site. In December 2004, EPIC andother groups urged the Federal Trade Commission to order that the linksbe unblocked. In light of the group letter, Rep. Barney Frank (D-MA)
wrote to the credit industry trade group to summarize changes made atthe site to make it more consumer friendly. Additionally, a recentreport by the World Privacy Forum urges consumers not to use the freesite at all, but rather call to get their reports, as the free siteengages in unnecessary data collection and presents other risks toprivacy.

Group Letter to the FTC About the Free Credit Report Site:

Letter from Representative Frank Concerning Changes to the Site (pdf):

World Privacy Forum Report, "Call, Don't Click":

Congress's Intervention in Schiavo Case Raises Issue of "Living Wills"

On March 21 Congress passed, and President Bush signed, a law thatpreempted state jurisdiction over the case of Terri Schiavo, a woman whois brain-damaged, and transferred jurisdiction to a U.S. district courtfor a federal judge to review. Schiavo's husband and her parents havebeen engaged in a legal battle about whether to permit Schiavo to die orbe kept alive by a feeding tube. The controversy highlights theimportance of making a "living will" to unambiguously explain what aperson would want in such a case. Only an estimated one-fifth ofAmericans have drawn up a document stating their wishes in theeventuality that they become incapacitated. Further complicating thedebate is the fact that state laws on the subject vary.

Text of the Terri Schiavo Bill:

European Ethics Group Raises Concerns About ICT ImplantsOn March 16 the European Group on Ethics in Science and New Technologiespresented an opinion to the European Commission about the ethicalaspects of information and communication technologies (ICT) implants inthe human body. The opinion dealt with the applications of ICT implantsfor health and non-medical purposes, and said the latter applicationsare a potential threat to human dignity and democratic society.
Non-medical ICT implant applications are not explicitly covered byexisting legislation, and the group recommended that the EuropeanCommission launch legislative initiatives in these areas.

Opinion of the European Group on Ethics in Science and New Technologiesto the European Commission on the Ethical Aspects of ICT Implants in theHuman Body (pdf):

EPIC's VeriChip page:

[7] EPIC Bookstore: J.J. Luna's "How to Be Invisible"

J.J. Luna, How to Be Invisible: The Essential Guide toProtecting Your Personal Privacy, Your Assets, and Your Life (ThomasDunne Books 2004)

"From cyberspace to crawl spaces, new innovations in informationgathering have left the private life of the average person open toscrutiny, and worse, exploitation. In this thoroughly revised update ofhis immensely popular guide How to Be Invisible, J.J. Luna shows you howto protect yourself from these information predators by securing yourvehicle and real estate ownership, your bank accounts, your businessdealings, your computer files, your home address, and more.

"J.J. Luna, a highly trained and experienced security consultant, showsyou how to achieve the privacy you crave and deserve, whether you justwant to shield yourself from casual scrutiny or take your life savingswith you and disappearing without a trace. Whatever your needs, Lunareveals the shocking secrets that private detectives and other seekersof personal information use to uncover information and then shows how tomake a serious commitment to safeguarding yourself.

"There is a prevailing sense in our society that true privacy is a thingof the past. Filled with vivid real life stories drawn from theheadlines and from Luna's own consulting experience, How to BeInvisible, Revised Edition is a critical antidote to the privacyconcerns that continue only to grow in magnitude as new and moreefficient ways of undermining our personal security are made available.
Privacy is a commonly-lamented casualty of the Information Age and ofthe world's changing climate-but that doesn't mean you have to stand forit."

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

F2C: Freedom to Connect. March 30-31, 2005. Washington, DC. For moreinformation:

The Global Flow of Information Conference 2005. Information SocietyProject at Yale Law School. April 1-3, 2005. New Haven, CT. Formore information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
April 4-8, 2005. Mar del Plata, Argentina. For more information:

VoIP World Africa 2005. April 5-7, 2005. Terrapinn. Johannesburg,South Africa. For more information:

Private Conduct/Private Places: New Media, Surveillance, Sexuality.
April 8-9, 2005. UC Berkeley. For more information:

RFID Journal LIVE! 2005. April 10-12. Chicago, IL. For moreinformation:

CFP2005: Fifteenth Annual Conference on Computers, Freedom andPrivacy. April 12-15, 2005. Seattle, WA. For more information:

2005 IEEE Symposium on Security and Privacy. IEEE Computer SocietyTechnical Committee on Security and Privacy in cooperation with TheInternational Association for Cryptologic Research. May 8-11, 2005.
Berkeley, CA. For more information:

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. May 23-24, 2005. Atlanta, Ga. For moreinformation:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information ProcessingSystems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005. Luxembourg City, Luxenbourg. For more information:

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information:

PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:

5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: target="new">

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback