WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2005 >> [2005] EPICAlert 9

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 12.08 [2005] EPICAlert 9







EPIC ALERT


Volume 12.08 April 21, 2005

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

http://www.epic.org/alert/EPIC_Alert_12.08.html


Table of Contents



[1] EPIC FOIA Note #3: Voting Machine Vendor Misled Election Officials
[2] States and Congress to Regulate Data Brokers in Wake of Scandals
[3] Controversial Database Project MATRIX Closes Down
[4] California Considers Prohibiting RFID Use in State ID Cards
[5] Choicepoint, Voter Rolls and Public Records Highlighted at CFP 2005
[6] News in Brief
[7] EPIC Bookstore: Mari J. Frank's Guide to Ending Identity Theft
[8] Upcoming Conferences and Events


[1] EPIC FOIA Note #3: Voting Machine Vendor Misled Election Officials

In the third edition of "EPIC FOIA Notes," formerly secret documentsobtained by EPIC from Ohio reveal that Diebold misled state officialsabout the capability of its voting machines. Diebold claimed that itstouch screen AccuVote machines would last at least 20 years. However,the Independent Testing Authority (ITA) Wyle Laboratories, which Dieboldpaid to evaluate its AccuVote voting system, reported that the machineswould only be reliable for 8 years.

Diebold is the same company that misled California about its AccuVotemachines. California barred the use of this voting system in the 2004election. In Maryland, some Diebold machines broke down on Election Day2004.

"EPIC FOIA Notes" gives subscribers fast access to important documentsobtained by EPIC under the Freedom of Information Act, allowing users ofmobile devices to learn quickly about important open government news.
The first two editions highlighted documents recently obtained from theFBI about data broker Choicepoint.

EPIC FOIA Notes #3:

http://www.epic.org/foia_notes/note3.html

Subscribe to EPIC FOIA Notes (please note that Alert subscribers willnot automatically receive the publication):

https://mailman.epic.org/cgi-bin/control/foia_notes

EPIC's Public Information Requests to States on DRE Voting Technologypage:

http://www.epic.org/privacy/voting/foia/default.html




[2] States and Congress to Regulate Data Brokers in Wake of Scandals

State legislatures and Congress are beginning to consider how to addressthe privacy problems caused by commercial data brokers, companies thatsell personal information, such as Choicepoint, LexisNexis, and Acxiom.
All three companies testified before the Senate Judiciary Committee lastweek, where Sen. Dianne Feinstein (D-CA) asked whether any of thecompanies had a security breach prior to 2003, before they were under alegal obligation to notify consumers. Choicepoint testified that it had,LexisNexis testified that it believed it had breaches, and Acxiomtestified that it had a breach in 2003 and notified its clients (bigbusinesses that transferred consumer data to Acxiom) but not consumers.
Sen. Feinstein concluded, "This is my point: If it weren't for theCalifornia law [requiring notice to consumers of security breaches], wewould have no way of knowing breaches that have occurred. It's reallyonly because of that law that we now know. We, in no way, shape or form,are able to pierce the depth of what has happened in this industry."

Meanwhile, California and New York introduced legislation tobring commercial data brokers and sellers of personal information fordirect marketing purposes under regulation similar to the Fair CreditReporting Act. Both bills incorporate many of the remedies to thecommercial data broker problem proposed by EPIC West Director ChrisHoofnagle and George Washington Law School Professor Daniel Solove. TheCalifornia legislation, SB 550 introduced by Sen. Jackie Speier (D-SanFrancisco), would give individuals important rights over theirinformation held by data brokers. If passed, Californians would be ableto access and correct their records, opt-out of having their data inreports, obtain an accounting of disclosures of their information, andobtain a free credit freeze if a data broker has a security breach.
(Credit reports that are "frozen" or sealed can be made available onlywhen the individual "thaws" her file, and specifies to whom, when, or inwhat contexts the file can be released.) Individuals would also have theability to sue for violations of the law.

The New York legislation, proposed by Attorney General Eliot Spitzer,would allow individuals to remove their information from data brokers'
and direct marketers' databases. New Yorkers could gain access to theirprofiles, and would receive notice whenever their dossiers were sold. Ifpassed, New York would be the fifth state to provide its citizen withcredit freeze legislation. Such laws exist in California, Texas,Louisiana and Vermont).

Next week, the Senate Commerce Committee will hold a hearing onChoicepoint. EPIC will continue to track these issues and report onimportant developments.

Text of the Proposed California SB 550:

http://www.epic.org/redirect/calif550.html
Proposed New York Legislative Package:

http://www.oag.state.ny.us/press/2005/apr/apr18a_05.html

Model Privacy Regime Version 2.0 by Daniel Solove and Chris Hoofnagle:

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=699701

EPIC's Choicepoint page:

http://epic.org/privacy/choicepoint/




[3] Controversial Database Project MATRIX Closes Down

The Multistate Anti-Terrorism Information Exchange (MATRIX), athree-year-old crime and terrorism database, closed down Friday becauseits federal funding ran out. MATRIX was run by Florida and LexisNexissubsidiary Seisint, which last week announced a security breach thatcompromised data on 310,000 Americans. MATRIX drew criticism because thedatabase had detailed files about innocent people, including credithistories and fingerprints.

Nine states had left the project during its three-year history citingprivacy, legal and cost concerns. Four states remained in the program:
Ohio, Connecticut, Pennsylvania, and Florida. MATRIX had been financed by$12 million in federal grants. Elements of MATRIX may continue if individualstates decide to finance it on their own.

The personal information contained in MATRIX included individuals'
names, past addresses, telephone numbers, Social Security numbers, datesof birth, credit information, driver's license photographs, marriage anddivorce records, names and addresses of family members, and neighbors'
addresses and telephone numbers. Some of the information was incorrect,but individuals were unable to correct their records.

News Release Announcing MATRIX Closure on April 15, 2005:

http://www.epic.org/redirect/flamat.html

EPIC's amicus brief before the Supreme Court in Hiibel v. Nevadadescribing MATRIX (pdf):

http://www.epic.org/privacy/hiibel/epic_amicus.pdf
MATRIX site:

http://www.matrix-at.org/




[4] California Considers Prohibiting RFID Use in State ID Cards

Federal and state officials have been considering attaching "tag andtrack" devices, known as RFIDs (Radio Frequency Identification tags), togovernment documents. California State Sen. Joe Simitian (D-11) hasintroduced "The Identity Information Protection Act" (SB 682), whichwould prohibit the inclusion of RFIDs in identity documents issued bystate agencies, such as driver's licenses, student identificationbadges, and medical cards. A broad coalition of privacy rights,consumer, and civil liberties groups are supporting the bill.

RFID tags are tiny integrated circuits with small antennae that enableinformation to be scanned remotely without the person's knowledge. Thisinformation could include the personal data displayed on ID cards,including an individual's name, address, telephone number, date ofbirth, photograph, fingerprint, Social Security number and any otherunique personal identifier or number. This information could easily beread by any person armed with a RFID reader, and then be used forstalking, kidnapping, or identity theft.

Every year, about 10 million persons are victims of identity theft.
RFID-enabled ID cards that are not properly designed and have weaktechnological safeguards are likely to make the crime of identity thefteasier to commit.

Text of Proposed SB 682: "The Identity Information Protection Act" (pdf):

http://www.aclunc.org/cyber/050223-radioID.pdf

EPIC's RFID page:

http://www.epic.org/privacy/rfid



[5] Choicepoint, Voter Rolls and Public Records Highlighted at CFP 2005

Many privacy issues were discussed at the 15th Annual Computers, Freedomand Privacy Conference held in Seattle, Wash., last week. ThreeWashington members of EPIC participated in panels discussing consumerrights, voting rights, and data mining and public records.

Chris Hoofnagle, director of EPIC's West Coast Office in San Francisco,discussed the emerging privacy problems presented by commercial databrokers, such as Choicepoint. Mr. Hoofnagle explained that thecompanies collected personal information from public records, governmentdatabases such as motor vehicle repositories, and companies that sellconsumer data. Mr. Hoofnagle emphasized that commercial data brokersoften sell two lines of information reports, one that is regulated underthe Fair Credit Reporting Act (FCRA), and a parallel line of reportsthat contain similar information but are not covered by the Act. Thisparallel line of non-FCRA reports is sold to many parties, andindividuals have no ability to correct errors, see who has obtainedtheir reports, or to limit the distribution of their information.

Lillie Coney, EPIC Associate Director, and Dr. Barbara Simons, Co-chairof Association for Computing Machinery's US Public Policy Committee,headed a panel discussing plans by states to implementstatewide-centralized voter registration systems. A little-knownprovision of the Help America Vote Act requires that states, with theassistance of the newly created U.S. Election Assistance Commission,develop such databases by 2006. Panelists discussed the importance offair information practices. Such practices provide notice and assuranceto voters that the information provided to the state will be used forthe purpose it was collected, that it will be accurate, that voters willhave an opportunity to correct inaccurate information and that voter'sinformation will be secure. Also discussed was the larger issue ofsecurity presented by insider and outsider threats as well as potentialvulnerabilities in these database systems.

Marcia Hofmann, Director of the EPIC Open Government Project, moderateda session challenging conference participants to pose solutions tocomplex issues created by public records and data mining. The panelproposed hypothetical problems about posting personal information onlinethrough public records and making conviction records available throughcommercial databases, and asked the audience how to resolve thecomplicated privacy and access issues created by each scenario. Panelparticipants Cindy Southworth, Technology Director of National Networkto End Domestic Violence; Professor Dan Solove, George WashingtonUniversity Law School; and Doug Klunder, Privacy Project Director at theAmerican Civil Liberties Union of Washington, respectively played theroles of privacy advocate, media representative, and the data brokerageindustry to add diverse perspectives to the spirited discussion.

EPIC's Choicepoint page:

http://epic.org/privacy/choicepoint/

EPIC's Statewide Centralized Voter Registration Databases page:

http://www.epic.org/privacy/voting/register/

National Committee for Voting Integrity:

http://www.votingintegrity.org/




[6] News in Brief

Data Security Breaches Grow in Frequency, MagnitudeNews reports continue to abound detailing new and existing personalinformation security breaches. These reports are driven by securitybreach notices issued to consumers by institutions that contain SocialSecurity, driver's license, or account numbers that were accessed byunauthorized parties. These notices are required by a California statelaw that went into effect in 2003. This law has pierced the publicrelations veil of the data industry, revealing that security breachesare much more common than previously thought. In recent weeks, shoecompany DSW announced that its information breach affected ten timesmore consumers (a total of 1.4 million) than the company estimated amonth ago; similarly, LexisNexis announced a ten-fold increase in thenumber of people affected by its data breach (a total of 310,000); andHSBC Bank warned that an American retailer, thought to be Polo RalphLauren, had a security breach affecting 180,000 individuals.

Text of California SB 1386, the Notification Law:

http://privacy.ca.gov/code/cc1798.291798.82.htm

UK Plans to Add Biometrics to PassportsThe United Kingdom's Home Office said on April 12 that it plans tofingerprint all passport applicants within the next five years and storethe data on chips embedded in passports. This comes just days after thegovernment was forced to pull pending legislation for a nationalidentity card program using biometric technology. A recent report byacademics from the London School of Economics and Political Sciencerecommended that legislators abandon the legislation because currentproposals were "too complex, technically unsafe, overly prescriptive andlack a foundation of public trust and confidence." The Labor Party hadpromised to revisit the issue if it retains the ruling position afterthe May 6 general election. The fingerprinting plan bypasses Parliamentbecause passports are granted by Royal Prerogative.

The Identity Project: An assessment of the UK Identity Cards Bill & itsimplications by the London School of Economics & Political Science:

http://www.epic.org/redirect/lseid.html
EPIC's National ID Cards page:

http://www.epic.org/privacy/id_cards/


House Committee Scrutinizes Homeland Security Counterterrorism StrategiesDepartment of Homeland Security Secretary Michael Chertoff testifiedbefore the House Committee on Homeland Security on April 13 aboutcounterterrorism strategies. Committee members asked for moreinformation about the department's proposed $847 million Office ofScreening Coordination and Operations (SCO). The office would overseevast databases of fingerprints, photographs, and personal informationfrom millions of Americans and foreigners. SCO would be responsible manyprograms including United States Visitor and Immigrant Status IndicatorTechnology (US-VISIT), Secure Flight and Crew Vetting, TransportationWorker Identification Credential and Registered. In a letter to a Housesubcommittee last month, EPIC urged careful scrutiny of this plannedoffice. Homeland Security has announced that the office's operationswould be conducted in a manner that safeguards civil liberties, but theagency has not yet explained how it proposes to protect privacy rightsor ensure accountability. The authorization bill for Homeland Securityis scheduled for subcommittee markup on April 26, the full committeemarkup is set for April 28, and full House consideration is expected onMay 11.

EPIC's Letter to House Subcommittee on Economic Security, InfrastructureProtection, and Cybersecurity (pdf):

http://www.epic.org/privacy/budget/fy2006/sco_letter.pdf

EPIC's Fiscal Year 2006 Budget page:

http://www.epic.org/privacy/budget/fy2006/default.html

House Committee on Homeland Security:

http://hsc.house.gov/

Individual-i Freedom Campaign LaunchedA new campaign, called "Individual-i," has launched to raise awarenessof civil liberties issues and to provide a symbol for those who wish toexpress their rights. Individual-i seeks to represent the right toprivacy and anonymity; open government, due process, and equalprotection under the law; the right to live free of surveillance; andthe right not to be marked as "suspicious" for wanting these otherrights.

Individual-i site:

http://www.individual-i.com/

French Government Considers Compulsory Biometric IDsThe French government may soon mandate that its citizens carry anational identity card. Although French citizens must prove theiridentity to officials upon request, they can choose to present avoluntary national ID card, an official document such as a drivinglicense or a passport (even expired), or call witnesses. In March, theFrench government outlined a plan to replace the identity cards andpassports offered to its citizens with new ones that carry a microchipcontaining digitized photographs and fingerprints. The plan is tointroduce the passports in 2006, and the identity cards a year later.

EPIC's National ID Cards page:

http://www.epic.org/privacy/id_cards/




[7] EPIC Bookstore: Mari J. Frank's Guide to Ending Identity Theft

Mari J. Frank, From Victim To Victor: A Step By Step Guide For Endingthe Nightmare of Identity Theft (Porpoise Press 2005)

http://powells.com/cgi-bin/biblio?inkey=17-1892126044-1

"With 10 million new victims a year, there is a vast need for people tohave legal help at a reasonable price. As a lawyer and former victimherself, who has helped thousands of victims, Ms. Frank coaches andguides you through every step, to lead you out of the nightmare. MariFrank had created the first self-help recovery tool for victims ofidentity theft back in 1998, and this new edition with CD includes thenew federal laws and regulations in an easy to understand format."



EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $35.
http://www.epic.org/bookstore/phr2004

This survey, by EPIC and Privacy International, reviews the state ofprivacy in more than sixty countries around the world. The surveyexamines a wide range of privacy issues including data protection,passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.



"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 22ndedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.



"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, as well as recommendations and proposalsfor future action, as well as a useful list of resources and contactsfor individuals and organizations that wish to become more involved inthe WSIS process.



"The Privacy Law Sourcebook 2003: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.



"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.



"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.



"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.



EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html


EPIC also publishes EPIC FOIA Notes, which provides brief summariesof interesting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes




[8] Upcoming Conferences and Events

2005 IEEE Symposium on Security and Privacy. IEEE Computer SocietyTechnical Committee on Security and Privacy in cooperation with TheInternational Association for Cryptologic Research. May 8-11, 2005.
Berkeley, CA. For more information:
target="new">http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html.

58th Annual New York University Conference on Labor:Workplace Privacy:
Here and Abroad. May 19-20, 2005. NYU School of Law. For moreinformation:
http://www.law.nyu.edu/centers/labor/conferences/

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. May 23-24, 2005. Atlanta, Ga. For moreinformation:
http://www.pli.edu/product/program_detail.asp?ptid=511&stid=3&id=
EN00000000019985


SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information ProcessingSystems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:
http://www.sec2005.org.

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 6-7, 2005. San Francisco, CA. For moreinformation: http://www.pli.edu/

Sixth Annual Institute on Privacy Law: Data Protection - The Convergenceof Privacy & Security. June 20-21, 2005. New York, NY. For moreinformation: http://www.pli.edu/

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005. Luxembourg City, Luxenbourg. For more information:
http://www.icann.org.

3rd International Human.SocietyInternet Conference. July 27-29,
2005. Tokyo, Japan. For more information: http://hsi.itrc.net.

PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
http://www.ics.uci.edu/~kobsa/PEP05.

5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm.

The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:
http://www.itu.int/wsis.

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For moreinformation: target="new">http://www.icann.org.


Subscription Information

Subscribe/unsubscribe via web interface:

target="new">https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Back issues are available at:

http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.


Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information."


About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information, seehttp://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248(fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.



.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2005/9.html