E P I C A l e r t
Representative Bennie Thompson, Ranking Member of the House Homeland Security Committee, wrote to Michael Chertoff, head of the Department of Homeland Security to criticize Chertoff's selection of Hugo Teufel to be the Department's new Privacy Officer.
Thompson begins by noting the importance of the Privacy Officer's role, ensuring that Homeland Security programs do not abridge privacy rights. Such oversight not only protects individuals, Thompson said, but it prevents government waste. "As demonstrated by the CAPPS II and Secure Flight debacles, failing to consider privacy during the early stages of programs can cost hundreds of millions of taxpayer dollars and harm public trust."
Because of the importance of this, role, Thompson says, Congress indeed the Chief Privacy officer be "a qualified and experienced privacy expert." Nuala O'Connor Kelly, the first DHS Privacy Officer, is praised by Thompson for her privacy experience in the private sector and at the Department of Commerce. Her immediate successor, Maureen Cooney, is also complemented for her privacy work at the Federal Trade Commission and as O'Connor Kelly's Chief of Staff. "Both [O'Connor Kelly and Cooney] are respected among government, private sector, and privacy experts and brought credibility to the position. They did so by putting their responsibility to advocate for the American people and their privacy rights ahead of pleasing the Departmental leadership."
By contrast, Thompson notes that Teufel previously served as an Associate General Counsel at Homeland Security, where he would have acted as an advocate for the Department. "It is hard to envision Mr. Teufel directly challenging the same policies he has vigorously protected and promoted as would need to be done, at times, by a Chief Privacy Officer," Thompson wrote. "Even a casual observer could foresee a conflict between his previous tenure at the Department and his current role."
Thompson also provides particular anecdotes in support of his doubts. During a Congressional investigation of alleged contract rigging at the Department, Teufel directed his staff to turn over documents about a contractor to Congress. These documents, irrelevant to the investigation, included personal information, such as individual employees' names, Social Security Numbers, and drivers license numbers. "Neither Mr. Teufel nor his staff ever indicated to Committee staff that he had reservations about sharing this information or even suggested that the Social Security Numbers of contractor employees and applicants be redacted," wrote Thompson.
Finally, Thompson pointed out weaknesses in the Privacy officer position itself, noting that he and other members of Congress doubted the independence of the office. "By having the Chief Privacy Officer report directly to the Secretary [of Homeland Security], rather than to Congress, that individual's ability to be an independent assessor of the Department's progress is diminished. It is sure to be difficult for the Privacy officer to act as an independent watchdog, in a manner similar to how the Inspector General operates, when he or she is a political appointee whose work must be approved [by the Secretary]."
Rep. Thompson's Letter to Homeland Security Secretary Chertoff (pdf):
Office of the Chief Privacy Officer of DHS:
Non-commercial users within ICANN, the corporation that manages the global domain name system, have urged the Internet Governance Forum (IGF) to protect privacy in the WHOIS database. A statement from the Non Commercial Users Constituency (NCUC) highlighted the dangers presented by having the personal contact information of every domain name holder disclosed over the Internet.
The IGF, created out of the 2005 meeting of the UN-endorsed World Summit on the Information Society, seeks to make recommendations to the international community on the broad issues of Internet governance. The first meeting of the IGF is scheduled for September 30 through October 2, 2006, in Athens, Greece.
The WHOIS database contains the personal contact information of anyone who registers a domain name. When a user decides to register a domain name, he is usually asked for his name, address, email address, and phone and fax numbers. The user must also provide the complete contact information for a technical contact and an administrative contact. In the case of individuals or small organizations, the registrant himself is often the administrative contact, providing his own home address and telephone number. If a user does not provide his name or address, or complete contact information for the technical and administrative contacts, his domain name may be taken away. All of this information is then published in the WHOIS database for anyone to access.
The NCUC statement objects to this current policy, which it says violates the privacy rights of individuals who register domain names. The statement notes not only the harms that users may be subject to (such as stalking, spamming, and harassment), but also that ICANN's current WHOIS policy may violate international laws and the privacy rights espoused by the UN's Universal Declaration of Human Rights. The statement notes that, by denying domain holders the ability to speak anonymously, freedom of expression is chilled, especially for dissidents within speech-oppressive regimes. The volume and detail of information published in WHOIS also paces domain name holders at risk for spamming and phishing attempts that can contribute to identity theft.
EPIC is a member of the NCUC, and has participated in many policymaking processes on WHOIS, most recently testifying before a U.S. congressional subcommittee on the privacy threats created by the database.
Non Commercial Users Constituency Statement (pdf):
IGF 2006 Site:
EPIC's WHOIS page:
EPIC's Testimony before Congressional Subcommittee on WHOIS (pdf):
After years of litigation, a Florida bank was required to pay $50 million in a class-action settlement resulting from violations of federal privacy law. Fidelity Federal Bank & Trust of West Palm Beach, FL, purchased 656,600 names and addresses from the Florida Department of Highway Safety and Motor Vehicles, for a penny per name. Fidelity Federal used this information to send unsolicited auto loan brochures to Florida residents.
The purchase violated the Drivers Privacy Protection Act, a 1993 law passed after it was shown that stalkers and other criminals had used motor vehicle records to locate their victims. The law requires that a state DMV must obtain a driver's opt-in consent before releasing personal information for marketing purposes. The Florida DMV, however, sold the information to Fidelity Federal without the drivers' consent. The Drivers Privacy Protection Act allows individuals to recover either the actual damages caused by the breach, or $2,500.
A class of the affected drivers sued in federal court, while Fidelity Federal argued that, since the plaintiffs had not proven actual damages, they were not entitled to any recovery. After losing in federal district court, the plaintiffs appealed successfully to the Eleventh Circuit Court of Appeals in 2005. Earlier this year, the Supreme Court refused to alter the Eleventh Circuit's decision, and the suit, which could potentially have cost Fidelity Federal $1.4 billion, was allowed to go forward. The current settlement ends the suit, although the Palm Beach Post reports that Fidelity Federal may consider action against the state of Florida. The Post also reports that suits against data brokers who illegally purchased DMV records are also in the works.
EPIC filed a "friend of the court" brief in favor of the plaintiffs before the Eleventh Circuit, arguing that the $2,500 penalty provided a necessary incentive for both states and private entities not to deal in drivers' personal information. Quantifying and proving in court the actual damages that result from breaches of information is often difficult for individuals, since harms from identity theft or other fraud can easily occur long after the initial breach. It is also often difficult to trace the source of fraud or identity theft to any one individual breach.
EPIC's Kehoe v. Fidelity Federal Bank and Trust page:
Supreme Court Denial of Certiorari (pdf):
Palm Beach Post Story on Settlement:
A report recently released by the Government Accountability Office shows that existing laws do not require data brokers to protect sensitive personal information. Currently, a patchwork of federal laws apply to particular types of businesses, or databases used only for particular purposes. The Gramm-Leach-Bliley Act, for instance, only applies to information obtained by or from specific financial institutions, while the Fair Credit Reporting Act only applies to information when it is used to make certain decisions, such as whether to offer credit or insurance.
The GAO found that, because of these restrictions, data brokers that profit from buying and selling the personal information of individuals are often not required to take minimal steps to safeguard individuals' personal information. The GAO Therefore recommended that Congress require data brokers to safeguard this information adequately, and give the Federal Trade Commission authority to enforce such regulations.
Several bills have been proposed in recent months that would create more stringent data security requirements for data brokers and other holders of personal information, though many would also have eliminated stronger state protections, and prevented state authorities from enforcing the law.
Studies in Canada and the United Kingdom also highlight the privacy risks created by insecure handling of personal information. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) has released two reports on data protection in the private sector. One surveyed several dozen online retailers to test their compliance with Canadian privacy laws, and found "widespread non-compliance" in key areas. Retailers often did not clearly state what they would do with consumers' information, or were misleading about their practices. For instance, a number of policies stated they would not share information without the consumers' express consent, but then assumed that the consumer had given consent unless the consumer explicitly opted out. Companies also largely failed to respond adequately, if at all, to consumer requests to access their own personal information.
Another CIPPIC study traced the means by which consumer information makes its way into the hands of data brokers. Not only do specialized data brokers collect this information from surveys and contests, but a number of different entities also sell this information to brokers. CIPPIC's list of data sellers included "magazines, newspapers, mail order retailers, email and other subscription services, travel agencies, product manufacturers (via registration/warranty cards), online educational and information services, and payment processing companies."
A report by the Information Commissioner to the UK Parliament revealed even more sinister "systematic breaches in personal privacy that amount to an unlawful trade in confidential personal information." The report documents the various abuses and crimes made possible by data brokers who use fraud and corrupt insiders to obtain personal information illegally. Among the customers of such illegal services were journalists, debt collectors, local authorities, stalkers, fraudsters, and other criminals. The Commissioner recommended increased penalties for the purchase or sale of personal data, as well as revoking the license of any private investigator cautioned or convicted for a violation.
GAO Report on Data Broker Regulation (pdf):
CIPPIC Report on Data Brokers:
CIPPIC Report on Compliance with Data Protection Laws:
UK Information Commissioner's Report:
EPIC's Data Brokers Page:
A security researcher in Germany has shown that he can clone the radio frequency identification (RFID) tags that the United States and other countries will be placing in passports later on this year. Lukas Grunwald, at the Black Hat security conference in Las Vegas, demonstrated that he could, with readily available technology, access the information on the RFID chip, copy it, and place it onto another document containing another RFID chip.
RFID chips will transmit the data contained within them when triggered by a radio signal. This allows them to be read remotely. The technology is scheduled to be placed in all U.S. passports by October of this year. Government officials have stressed that the passports will be protected from surreptitious cloning because the cover of the passport will block signals from reaching the RFID chip. However, the chip can still be read remotely and surreptitiously when the cover is opened--either by the passport holder or by anyone to whom the passport has been shown.
The shielding on an RFID-equipped passport also eliminates an oft-touted benefit of RFID technology--that the chips can be read more quickly and without the need for human inspection. If legitimate passports can be easily cloned, then the information contained within the chip must still be verified against the holder and against the information printed on the document--a process no faster than the current one.
These criticisms of the technology have already been raised by the Department of Homeland Security, in a draft report released in June. In that report, a subcommittee within the Department states that RFID should not generally be used for identifying individuals, since it "increases risks to personal privacy and security, with no commensurate benefit for performance or national security." The report also notes that carrying a remotely-readable document can erode anonymity, and privacy. Even if a document is encrypted, the mere presence of an unshielded RFID chip can indicate the type of document carried (such as a U.S. passport) and thus reveal information about those nearby (that someone in the vicinity is a U.S. citizen). Similar risks and vulnerabilities were raised by the Government Accountability Office in May 2005.
DHS Draft Report on RFID Vulnerabilities (pdf):
GAO Report on RFID Risks (pdf):
EPIC's RFID page:
Court Strikes Down Voter ID Check in Washington
A federal district court in the state of Washington blocked a new law that would prevent citizens from registering to vote if there were any discrepancies between a voter's name and the data in a Social Security Administration or Department of Labor database. The court ruled that the matching requirement placed an impermissible burden on voters, especially when an error or omission could easily result in a mismatch when the applicant was still actually eligible to vote. The court also held that the comparison violated the requirements of the Help America Vote Act, which requires matching only after voter registration, and only then as an administrative safeguard to store and maintain the list of voters, not as a restriction on voter eligibility.
Court's Opinion in Washington Association of Churches v. Reed (pdf):
EPIC's Voting Page:
Another Major Flaw in Diebold Voting Machine
The Open Voting Foundation discovered that a model of Diebold voting machine could be subverted with the flick of a switch. The nonprofit organization reported that, when a panel is removed with a screwdriver and a switch is flipped, the Diebold TS voting machine will automatically run whatever software is present on a flash drive attached to the machine. The flaw is such that the change could be reversed after the machine had been tampered with, leaving auditors with no evidence of the breach.
Open Voting Foundation:
EPIC's Voting Page:
GAO Releases Report on FOIA Compliance
A report issued by the Government Accountability Office found that more Freedom of Information Act requests are being delayed than before. The report indicates that the number of pending requests carried over from year to year has increased by 24% since 2004, rising to about 200,000 in fiscal year 2005. The number of requests received (a total of 2.6 million) increased only 2.5% over 2004. The report also showed that several agencies did not create measurable plans for reducing their backlogs, despite an executive order requiring this. Among those agencies were the Department of Commerce, the Department of Defense, and the Department of Veterans Affairs.
EPIC's FOIA Notes:
DHS Plans to Fingerprint Permanent Residents
The Department of Homeland Security recently proposed new rules greatly expanding the number of people who would be required to submit fingerprints to the US VISIT program. The expanded program would collect fingerprints from legal permanent residents, refugees seeking asylum in the United States, and many categories of Canadians not now include in the program. Under the proposed rules, fingerprints would be collected from the individuals at air and sea ports when reentering the United States. Homeland Security is requesting comments on this new proposal, and any member of the public may do so. The deadline for submitting comments is August 28, 2006.
Proposed Rule Expanding Fingerprinting:
Comment on the Rulemaking (search for DHS-2005-0037):
EPIC's US-VISIT Page:
Senate Approves Cybercrime Treaty
On August 3, the Senate ratified a treaty that expands the search and seizure powers of law enforcement in pursuing computer crimes. The Council of Europe's Convention on Cybercrime, sent to the Senate in 2003, criminalizes hacking (including the production, sale, or distribution of hacking tools), and expands criminal liability for intellectual property violations. The treaty also requires signatories to grant law enforcement additional search powers, such as being able to compel Internet service providers to monitor user activity. The treaty also requires that countries cooperate with each other in cybercrime enforcement to the "widest extent possible." Last year, EPIC issued a statement to the Senate Committee on Foreign Relations, opposing ratification. The creation of new surveillance powers without adequate safeguards, EPIC said, would erode privacy rights in the United States. "The Cybercrime Convention is much more like a law enforcement 'wish list' than an international instrument truly respectful of human rights," EPIC said.
EPIC's Cybercrime Convention Page:
EPIC's Statement on the Cybercrime Convention (pdf):
Privacy Law and the USA PATRIOT Act. Steve C. Posner. LexisNexis, 2006.
Drafted and passed only six weeks after September 11th, the USA PATRIOT Act has, in popular consciousness, been elevated beyond a mere law and into a symbol of increased government surveillance. Because of its iconic status, it has been cited by both its proponents and opponents as containing provisions it does not, confusing debates on government powers and surveillance. Steven Posner's treatise, "Privacy Law and the USA PATRIOT Act," focuses clearly upon the many areas of privacy law affected by the Act. The treatise begins with a thorough and well-cited legislative history, including the several bills proposed in the time between September 11th and the Act's introduction. The second chapter provides a good overview of the legal right to privacy, in its many nuances and subcategories. Each of the following chapters then proceeds through the Act title by title. This organization leads to some chapters, on issues less frequently debated or litigated, being somewhat terse, but no less useful. On the other hand, Chapter 4, on surveillance, is rightfully the longest and most comprehensive. Particular attention is paid to the Section 215 provisions that have raised such grave concerns over the privacy of library and business records. In dealing with these controversial sections, Posner takes the time to not only cite the relevant statutory material and case law, but also to provide the history and executive actions that informed the Act's creation, interpretation, and amendment. With methods like these, Posner's treatise takes an often-convoluted subject matter and makes it far more understandable.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:
Identity and Identification in a Networked World. New York University.
September 29-30, 2006. New York, New York. For more information:
34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:
6th Annual Future of Music Policy Summit. Future of Music Coalition.
October 5-7, 2006. Montreal, Canada. For more information:
The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada.
International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November
2006. Markham, Ontario, Canada. For more information:
Internet Governance Forum (IGF) October 30-November 2, 2006. Athens,
Greece. For more information:
28th International Data Protection and Privacy Commissioners'
Conference. November 2-3, 2006. London, United Kingdom. For more
BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.