WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 8

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.07 [2005] EPICAlert 8


Volume 12.07 April 7, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Congress Holds Hearings to Review USA PATRIOT Act
[2] Commercial Data Brokers Grilled at California Hearing
[3] EPIC Urges Privacy Safeguards for RFID and Copyright Technology
[4] Spotlight: Homeland Security's Access Card Less Than Secure
[5] Education Agency's Student Tracking Proposal Opposed
[6] News in Brief
[7] EPIC Bookstore: Michael Caloyannides's Privacy & Computer Forensics
[8] Upcoming Conferences and Events

[1] Congress Holds Hearings to Review USA PATRIOT Act

This week Congress began reviewing the USA PATRIOT Act, somecontroversial provisions of which are slated to sunset at the end ofthis year unless Congress moves to reauthorize them. The Senate andHouse Judiciary Committees each heard Attorney General Alberto Gonzalesdefend the law and argue for renewal of its expiring provisions. Thecommittees will continue to hold hearings through April and part of Mayon issues such as the FBI's wiretap authority and access to businessrecords.

Senate committee members grilled Gonzales and FBI Director RobertMueller on the law's broad definition of terrorism, as well as thestandards the FBI must meet to obtain sneak-and-peek search warrants,which allow the government to delay notifying the target of aninvestigation that a search has happened. The Senate committee'schairman, Sen. Arlen Specter, pressed Gonzales and Mueller on whetherthe standards of proof the government must show in foreign intelligenceinvestigations should be more stringent. After the hearing, Sens. LarryCraig and Dick Durbin announced plans to introduce legislation to rollback parts of the law.

In the House committee hearing, Gonzales was questioned sharply aboutits actions in the wake of the 9/11 terrorist attacks, such as secretimmigration hearings. Gonzales conceded that "there were mistakesmade."

Most sunsetting provisions of the USA PATRIOT Act expanded eitherfederal wiretap law, which governs law enforcement interception of andaccess to communications in criminal investigations, or the secretiveForeign Intelligence Surveillance Act (FISA), which regulates the FBI'scollection of "foreign intelligence" information for intelligencepurposes. One of the most hotly debated provisions of the USA PATRIOTAct allows the FBI to get a court order to obtain "any tangible things"
relevant to an investigation of foreign intelligence or internationalterrorist activities. People served with a warrant under this provisionare not allowed to disclose the existence of the warrant or the factthat records or items were provided to the government. Documentsobtained by EPIC under the Freedom of Information Act last year showedthat this authority can be used to obtain items such as apartment keys,and that the FBI can collect information about innocent people underthis provision.

Congress included a sunset provision in the USA PATRIOT Act so that itwould have an opportunity to review the government's more extremeinvestigative powers at a less emotionally charged time. However,little information has been made public on how the FBI is using itsauthority under the USA PATRIOT Act. As Sen. Patrick Leahy said inhis statement during the Senate Judiciary Committee's oversight hearing,
"we have heard over and over again that there have been no abuses as aresult of the PATRIOT Act. But it is difficult, if not impossible, toverify that claim when some of the most controversial surveillancepowers in the PATRIOT Act operate under a cloak of secrecy."

Last month, EPIC submitted a Freedom of Information Act request to theFBI seeking information about how the agency has used its expanded powerunder the expiring provisions of the Act. EPIC argued for expeditedprocessing, noting the importance of such information to the public andcongressional debate surrounding the renewal of these authorities. EPIChas also posted a Web page on the sunsetting provisions of the law.

USA PATRIOT Act documents obtained by EPIC under the Freedom ofInformation Act are available at:

Statement of Senator Leahy, Senate Judiciary Committee Hearing onOversight of the USA PATRIOT Act:

Senate Judiciary Committee hearing "Oversight of the USA PATRIOT Act":

House Judiciary Committee hearing "USA PATRIOT Act: A Review for thePurpose of Its Reauthorization."

EPIC's FOIA request to the FBI (pdf):

EPIC's USA PATRIOT Sunset page:


[2] Commercial Data Brokers Grilled at California Hearing

California State Sen. Jackie Speier put Choicepoint, LexisNexis, andAcxiom in the hot seat at a hearing before the State's Senate BankingCommittee. All three companies have had major privacy breaches in thelast two years. Speier, who chairs the committee, asked a series ofhard-hitting questions probing why Choicepoint did not disclose itsdata breach sooner and how all the companies' systems were compromised.
Speier also expressed skepticism concerning the data brokers' definitionof "sensitive" information, which the industry defines as SocialSecurity Numbers and driver's license numbers. When these sameidentifiers appear in public records, LexisNexis treats them asnon-sensitive, and sells them to the company's clients. Speier statedthat the identifiers were "indeed sensitive to most people in thisnation...[the commercial data brokers' definition of"sensitive"]...doesn't reflect reality."

The hearing began with testimony from Elizabeth Rosen, a Californianurse whose information was sold to criminals by Choicepoint. Rosenexplained in detail her frustration with Choicepoint, because thecompany would not provide her with her full profile. A portion of herfile that she did receive had errors on almost every page: multipleincorrect addresses; that she owned companies, including a deli; andthat she maintained a private mailbox at Mailboxes Etc. Senator AlanLowenthal asked Choicepoint why the company wouldn't give Rosen the sameinformation the company had sold to criminals, but the Choicepointrepresentative didn't directly answer the question.

EPIC West Director Chris Jay Hoofnagle's testimony before the committeefocused on three issues. First, Mr. Hoofnagle emphasized that thelegislature should approach the commercial data broker issue primarilyas a privacy problem rather than a security issue. Mr. Hoofnagle'stestimony highlighted the Choicepoint subscriber agreement, whichincludes categories for a wide range of businesses considered qualifiedfor access to personal data. They include: attorneys, banking,financial, retail, wholesale, insurance, human resources, securitycompanies, process servers, news media, bail bonds, and "other." Even ifChoicepoint and other data brokers sold personal information in a secureway, the base problem is that the company continues to sell personalinformation to this wide array of businesses.

Second, Mr. Hoofnagle highlighted the difference between Choicepoint'sregulated information services, such as employment and tenant screeningservices, and the company's unregulated "public records" reports.
Legislative attention should be focused on these unregulated informationproducts. Mr. Hoofnagle told legislators that Choicepoint plays a "shellgame" with its products
Choicepoint representatives don't alwaysspecify in policy debates whether they are discussing their regulated orunregulated reports, thus confusing the public and lawmakers.

Finally, Mr. Hoofnagle suggested that California legislators take swiftaction to address data brokers by following a framework authored byGeorge Washington University Law School Professor Daniel Solove and Mr.

Choicepoint apologized for selling personal information to criminals,and announced a series of reforms. The company will no longer sell"sensitive" personal information to small businesses. Small businesseswill still be able to buy Choicepoint reports, but it appears thatSocial Security Numbers will be truncated in some fashion. The companywill still sell its full reports to big businesses and federal, state,and local law enforcement agencies (Choicepoint has contracts with 7,000law enforcement agencies). The company also announced that it is workingon a system to provide access to all of its information products.
However, individuals will not be able to correct their "public records"
reports. Choicepoint also announced that the company could automaticallyredact SSNs that appear in public records.

Pam Dixon of the World Privacy Forum previewed a report on commercialdata brokers that reveals a very high error rate in personal informationreports. In her sample, 90% of the reports obtained contained errors;
frequently these errors were serious, such as individuals beingidentified by the wrong sex. Dixon also told legislators that companiesare using "anti-fraud" loopholes in privacy law to justify expansiveinformation use.

EPIC West Testimony on Commercial Data Brokers:

Model Privacy Regime Version 2.0 by Daniel Solove and Chris Hoofnagle:

[3] EPIC Urges Privacy Safeguards for RFID and Copyright Technology

EPIC and other civil liberties groups have filed comments urging theState Department to abandon its plans to require RFID passports for allAmerican travelers. The comments state that the proposal is flawedbecause the agency lacks legal authority to require RFID traveldocuments. The proposal also lacks evidence to support that RFID-enabledpassports are necessary or that their benefits outweigh thesecurity risks inherent in having the data in a contactless andunencrypted format. Also, the State Department failed to conduct aprivacy impact assessment of the new technology as mandated by law.

In earlier comments to the working document on RFID technology of theArticle 29 Working Group, an association of leading European privacyofficials, EPIC recommended strong safeguards for RFIDs, and prohibitionof "chipping" people and using unencrypted RFID passports. Furthermore,strong privacy standards (like EPIC's own RFID Privacy Guidelines)
should be used when RFID tags are placed on consumer products in theretail environment.

In other comments to the same Working Group on digital rights managementsystems (DRM), EPIC and the Yale Law School Information Society Projectfocused on the intersection of copyright protection and user's privacy.
(DRM systems track the online use of digital works.) After showing howDRM designs invade the privacy of digital media users, the commentsrecommended strict enforcement of data protection regulations already inplace.

EPIC, EFF et al, Comments on RFID passports (pdf):

EPIC Comments on RFID to the Article 29 Working Group (pdf):

EPIC and Yale Law School, Comments on DRM to the Article 29 WorkingGroup (pdf):

EPIC's RFID page:

EPIC's VeriChip page:

EPIC's DRM page:

[4] Spotlight: Homeland Security's Access Card Less Than Secure

President Bush's proposed $2.57 trillion federal budget for Fiscal Year2006 greatly increases the amount of money spent on surveillancetechnology and programs while cutting about 150 programsómost of themfrom the Department of Education. EPIC's "Spotlight on Surveillance"
project scrutinizes these surveillance programs.

This month, EPIC evaluates the Department of Homeland Security's newemployee access card and finds significant security risks. The wirelesstechnologies linked to the Department of Homeland Security Access Card(DAC) leave employees' personal information vulnerable to access bycriminals. Also, the Department further exposes the card by its broadexpansion of the card's function to turn it into a payment device, onethat would be used several times a day in unsecured locations such asMetro train stations.

Beginning in May and through the end of the year, Homeland Security willissue the DAC to 40,000 of its 180,000 employees and contractors. TheDAC is about the size of a credit card and will carry a digital copy ofthe cardholder's fingerprint as well as other information. TheDepartment requests $6 million for the DAC program in FY 2006, andeach card costs about $8.50Homeland Security has assumed that there will be some problems with thebiometric identifier system on the DAC. The Department has a backupsystem built into the cardóif the fingerprint identification fails, thenthe employee can gain access by using a 6- to 8- digit PIN. By allowingalternate access through the PIN, Homeland Security creates all of thevulnerabilities associated with allowing complete access to secure areasand information through one password. This is a significant securityrisk, as a criminal could bypass the biometric identification system bysimply learning the PIN. Even without the PIN bypass there are risks toequipping the card with the power to access not only the Department ofHomeland Security's resources, but also those of local, state and otherfederal government entities.

Department of Homeland Security's DAC site:

EPIC's Spotlight on Surveillance page:

EPIC's Biometrics page:

[5] Education Agency's Student Tracking Proposal Opposed

The National Center for Educational Statistics (NCES), part of theDepartment of Education, has published a feasibility study on therenewal of the postsecondary education statistic that would lead to thecreation of a "database of millions of students records." The reportexamined the feasibility of implementing a student unit record system.
The study proposed replacing the existing Integrated PostsecondaryEducation Data System (IPEDS), which is based on institution-levelaggregate data, with a system that requires individualized raw dataabout every student at American collegiate institutions.

Today, student unit record data is only collected on by the federalgovernment if a student receives federal student loans. Under the NCESproposal all public and private universities and colleges would berequired to submit their student data for the NCES database. Eachstudent's unit record contains 40 personal items, notably the student'sSocial Security Number or Individual Taxpayer Identification Number,date of birth, gender, race and permanent address. The feasibility studyproposed that "[i]ndividual identifiable data would remain within thepermanent storage system" and have "new records added every year."

Department of Education officials have repeatedly complained about thestatistics' inability to depict modern trends in higher education.
Present postsecondary education statistics are not sensitive tonon-traditional students because IPEDS is only designed to collect dataon full-time students. The rationale for requiring students with norelationship with the Department of Education to provide the NCES with acomplete track record of their higher education pursuits isquestionable. EPIC and other privacy groups stated that statisticalpurposes alone are not strong enough reasons to infringe upon students'
rights to educational privacy.

Under the USA PATRIOT Act, the US Attorney General and the Department ofJustice would have access to this comprehensive federal studentdatabase. There is also the strong possibility that such a databasewould suffer from mission creep
the information gathered would be usedfor non-statistical purposes.

The United States Student Association opposes the creation of database.
According to the USSA, "There are few protections offered for studentsunder this proposal. They donít have the opportunity to opt out, evenstudents who donít receive federal student aid." The NationalAssociation of Independent Colleges & Universities also objects to itscreation. The NAICU said, "We do not believe that the price forenrolling in college should be permanent entry into a federal registry,and we fear that the existence of such a massive registry will proveirresistible to future demands for access to the data fornon-educational purposes."

Katherine Haley Will, the President of Gettysburg College, warnedrecently that "The potential for abuse of power and violation of civilliberties is immense. The database would begin with 15 million-plusrecords of students in the first year and grow. These student recordswould be held by the federal government for at least the life of thestudent."

Congress will likely consider the recommendations of the NCESfeasibility study during debates about the reauthorization of the HigherEducation Act. However, lawmakers showed great reluctance to implement avast student record database during passage of the No Child Left BehindAct. In that Act, Congress explicitly prohibited the development of anationwide database of personally identifiable information on childrenfrom kindergarten through high school.

NCES's Feasibility of a Student Unit Record System Within the IntegratedPostsecondary Education Data System:

NAICU Issue Summary: Student Unit Record Data:

"Alma Mater As Big Brother," The Washington Post, March 29, 2005

EPIC's Student Privacy page:

[6] News in Brief

Reports Scrutinize Secure Flight, Agency's Passenger Data PracticesThe Government Accountability Office recently released a report on theSecure Flight passenger prescreening proposal, concluding that theTransportation Security Administration still has many issues to addressbefore the feasibility of the program can be known, though the agencyplans to launch the program in August. The report, commissioned byCongress, stated that the office could not evaluate a number of aspectsof Secure Flight including the effectiveness of the system, the accuracyof intelligence data that will determine whether passengers may fly,safeguards to protect passenger privacy, and the adequacy of redress forpassengers who are improperly flagged by the program.

In related news, the Department of Homeland Security Inspector Generalissued findings on the TSA's role in collecting and disseminatingairline passenger data to third party agencies and companies. The reportrevealed that the agency has been involved in 14 transfers of datainvolving more than 12 million passenger records. The Inspector Generalfound, among other things, that "TSA did not consistently apply privacyprotections in the course of its involvement in airline passenger datatransfers." Furthermore, TSA did not accurately represent to the publicthe scope of its passenger data collection and use.

Government Accountability Office, Aviation Security: Secure FlightDevelopment and Testing Under Way, but Risks Should Be Managed as Systemis Further Developed (pdf):

Department of Homeland Security Inspector General, Review of theTransportation Security Administration's Role in the Use andDissemination of Airline Passenger Data:

EPIC's Secure Flight page:

EU Asks US to Delay Deadline for Biometric Passports RequirementThe European Union has asked the US to delay the deadline for therequirement that visitors entering the country without visas hold apassport with a biometric identifier. European Justice CommissionerFranco Frattini has written to Congress asking for the October 2005deadline to be pushed back to August 2006. Frattini says that it istaking longer than expected to address interoperability and securityissues with the biometric readers, and that only six EU countries are ina position to meet the October deadline. If the US agrees to the demand,it will be the second extension to the biometric passport deadline.

EPIC's Biometrics page:

EPIC Supports WHOIS Privacy CampaignEPIC has joined with Go Daddy and others to urge a federal agency torestore the right of Internet users to maintain private Web siteregistrations. In February, the National Telecommunication andInformation Administration disallowed private registrations for .USdomain names, without a hearing, rulemaking, or public debate. Theaction undercuts online privacy, puts individuals at risk, and
threatens Constitutional values.

Sign the petition at:

EPIC's WHOIS page:

[7] EPIC Bookstore: Michael Caloyannides's Privacy & Computer Forensics

Michael A. Caloyannides, Privacy Protection and Computer Forensics(Artech House Publishers 2004)

"Going far beyond typical computer forensics books, this thoroughlyrevised edition of an Artech House bestseller is the only book on themarket that focuses on how to protect one's privacy from data theft,hostile computer forensics, and legal action. It addresses the concernsof today's IT professionals, as well as many users of personalcomputers, offering more detailed "how to" guidance on protecting theconfidentiality of data stored on computers. Moreover, the secondedition has been updated to include specific information on thevulnerabilities of ancillary computing devices, such as PDAs, cellulartelephones and smart cards. This cutting-edge book identifies thespecific areas where sensitive and potentially incriminating data ishiding in computers and consumer electronics, and explains how to goabout removing this data. The book provides a systematic process forinstalling operating systems and application software that will help tominimize the possibility of security compromises, and numerous specificsteps that need to be taken to prevent the hostile exploitation of one'scomputer."

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.

"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

A Brookings Briefing: Offshoring and Privacy: Consumer Data in theGlobal Economy. April 08, 2005. Washington, DC. For more information:

Private Conduct/Private Places: New Media, Surveillance, Sexuality.
April 8-9, 2005. UC Berkeley. For more information:

RFID Journal LIVE! 2005. April 10-12. Chicago, IL. For moreinformation:

Future of Music Coalition DC Policy Day. April 12, 2005 Washington, DC.
For more information:

CFP2005: Fifteenth Annual Conference on Computers, Freedom andPrivacy. April 12-15, 2005. Seattle, WA. For more information:

OECD Workshop on Consumer Dispute Resolution and Redress in the GlobalMarketplace. April 19-20, 2005. Washington, DC. For more information:,2340,en_2649_34267_34409185_1_1_1_1,00.html

2005 IEEE Symposium on Security and Privacy. IEEE Computer SocietyTechnical Committee on Security and Privacy in cooperation with TheInternational Association for Cryptologic Research. May 8-11, 2005.
Berkeley, CA. For more information:

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. May 23-24, 2005. Atlanta, Ga. For moreinformation:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information ProcessingSystems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 6-7, 2005. San Francisco, CA. For moreinformation:

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 20-21, 2005. New York, NY. For moreinformation:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005. Luxembourg City, Luxenbourg. For more information:

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information:

PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:

5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: target="new">

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback