WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2006 >> [2006] EPICAlert 2

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 13.02 [2006] EPICAlert 2


Volume 13.02 January 27, 2006

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
Table of Contents

[1] FTC Announces Choicepoint Data Breach Settlement
[2] EPIC Sues Justice Department for Warrantless Surveillance Records
[3] State and Federal Governments Address Illegal Phone Record Sales

[4] Justice Department Subpoenas Search Records; Google Resists
[5] EPIC Comments on Junk Faxes, Preemption of State Law
[6] News in Brief
[7] EPIC Bookstore: Edmund J. Pankow's "Hide Your Assets and Disappear"

[8] Upcoming Conferences and Events

[1] FTC Announces Choicepoint Data Breach Settlement

On January 26, the Federal Trade Commission announced that it hadreached a multi-million dollar settlement with data broker Choicepointregarding the company's poor privacy and data security practices, aswell as violations of federal law. Choicepoint will pay $10 million tothe Commission and will have to pay an additional $5 million to redressthe harms suffered by consumers. It is the largest civil penalty in FTChistory.

The settlement, the largest of its kind, brings an end to an FTC actionthat accused Choicepoint of risking the personal information of at least163,000 individuals. Choicepoint sold these records to a crime ring ofidentity thieves, without performing basic security checks and ignoringwarning signs that the thieves were not who they claimed to be. At least800 claims of identity theft are known to have arisen as a result ofthese lapses.

According to the Commission, Choicepoint, which sold the records of atleast 163,000 individuals to a criminal ring of identity thieves,violated federal law by failing to maintain reasonable procedures toprotect information, and also by falsely advertising that theyadequately shielded personal information from fraud and misuse.

“The message to ChoicePoint and others should be clear: Consumers'
private data must be protected from thieves,” said Deborah PlattMajoras, Chairman of the FTC. “Data security is critical to consumers,and protecting it is a priority for the FTC, as it should be to everybusiness in America.”

EPIC filed a complaint with the Federal Trade Commission in December2004 that described Choicepoint's sale of personal information thatfailed to provide the privacy safeguards of the Fair Credit ReportingAct.

However, the FTC failed to act on the EPIC complaint until the pressreported on the sale of personal data by Choicepoint to a criminal ringengaged in identity theft. More than 800 consumers so far have beenvictims of identity theft as a result of that disclosure.

EPIC has recommended legislation that would allow consumers access to,and the ability to correct, personal records maintained by data brokers,as well as mandatory notification when individuals' personal informationhad been breached.

Federal Trade Commission Press Release:

Federal Trade Commission Court Documents:

EPIC's Choicepoint web page:

EPIC's 2004 Complaint:

[2] EPIC Sues Justice Department for Warrantless Surveillance Records

Last week, EPIC filed a Freedom of Information Act lawsuit against theDepartment of Justice. The suit asks a federal court to order theDepartment to disclose information about the National Security Agency'swarrantless domestic surveillance program within 20 days. EPIC argued inits court papers that the debate surrounding the activity "cannot bebased solely upon information that the Administration voluntarilychooses to disseminate." The case has been assigned to Judge Henry H.
Kennedy, Jr. of the United States District Court for the District ofColumbia.

Last month, the New York Times reported that President Bush secretlyissued an executive order in 2002 authorizing the NSA to conductwarrantless surveillance of international telephone and Internetcommunications on American soil. It was also reported that the JusticeDepartment has played a key role in authorizing, implementing andoverseeing this controversial activity. President Bush has acknowledgedthe existence of the surveillance program and vowed that it wouldcontinue.

EPIC submitted FOIA requests to the NSA and Department of Justice justhours after the existence of the program was first reported. Noting theextraordinary public interest in the program and its potentialillegality, EPIC asked the agencies to process the requests quickly. TheJustice Department agreed that the requests warranted prioritytreatment, but has now failed to comply with the Freedom of InformationAct's usual time limit of 20 working days.

In response to EPIC request, the NSA has released two internal messagesfrom the agency's director to staff, which defend the NSA's warrantlesseavesdropping and discourage employees from discussing the program withthe news media. The NSA has withheld all other material responsive toEPIC's request. EPIC has asked the agency to reconsider its decision.

EPIC's complaint (pdf):

EPIC's motion for preliminary injunction (pdf):

Internal messages obtained from the NSA by EPIC through the Freedom ofInformation Act (pdf):

EPIC's Warrantless Surveillance FOIA Page:

[3] State and Federal Governments Address Illegal Phone Record Sales

Many different government entities are taking legal action to addressthe problem of online data brokers who obtain and sell phone records.
These companies openly advertise their ability to obtain personalinformation of other people for a fee. In addition to phone records,some of these companies offer to sell the identities of individuals whoparticipate in dating services, such as and Lavalife; othersoffer the real identities of individuals based on their "AOL Screename"
or their P.O. Box ownership. This information is obtained through"pretexting," a practice where an investigator impersonates the accountholder in order to trick the business into releasing records.

In July 2005, EPIC filed a complaint with the Federal Trade Commissionurging the agency to take action against online data brokers (See EPICAlert 12.14 In August,EPIC supplemented that complaint with a list of 40 websites that offeredto sell personal information, and petitioned the Federal CommunicationsCommission to require telephone carriers to enhance their securitystandards for customer information (See EPIC Alert 12.18 The FCC's EnforcementBureau has initiated an investigation and issued subpoenas to onlinedata brokers under its existing statutory authority to protect phonerecords. The FCC has yet to act formally on the EPIC petition.

On the federal level, two Senate bills have been introduced to prohibitaccessing phone records through pretexting. Two more bills are expectedin the House of Representatives. Generally, the bills prohibit the useof pretexting or trickery to obtain records and the resale of phonerecords. Next week, EPIC will testify before the House Energy andCommerce Committee on the need for carriers to shield records and for aban on pretexting.

Attorneys General from Illinois, Missouri, and Florida have brought suitagainst companies identified by EPIC as selling phone records.
Additionally, telephone carriers Verizon Wireless, Cingular, andT-Mobile have brought suits against online data brokers for fraud andmisrepresentation. EPIC has supported these enforcement efforts, butregulatory intervention is needed to solve this privacy problem in thelong term. Otherwise, these data brokers simply will reform as newcompanies or "go underground" once authorities' attention turns to othermatters.

EPIC Illegal Sale of Phone Records Page:

S. 2177, the Phone Records Protection Act of 2006:

S. 2178, the Consumer Telephone Records Protection Act of 2006:

[4] Justice Department Subpoenas Search Records; Google Resists

The U.S. Justice Department recently asked a federal court in Californiato compel Google to turn over records revealing all of the queriesentered into the prominent search engine over the course of a week in2005. The motion to compel comes after months of negotiations betweenGoogle and the Justice Department, during which Google has refused toturn over the records, claiming that the request was overly burdensomeand a threat to Google's trade secrets and possibly users' privacy.

In August of last year, the government originally sought a list of allof the sites indexed by Google, as well as all queries entered intoGoogle from June 1, 2005 to July 31, 2005. This request was laternarrowed to a random sampling of 1 million URLs from the Google indexand all search queries made during a one-week period.

The requests highlight a privacy vulnerability in individuals' dealingswith search engines and other online companies. Though the governmentdid not ask for any personally identifiable information in its request,Google does store search histories, email logs, and other information insuch a way that online activities can be traced back to individuals.
Nothing would prevent the government from requesting these logs in thenext case, or even as a follow-up to information gathered in thisparticular sweep.

The current request for records comes not in connection with anyparticular criminal or civil law enforcement action, but rather anattempt to justify the 1998 Child Online Protection Act. The law wouldhave criminalized sites that posted adult material online, unless thesite required visitors to provide a credit card number or some form ofage verification. This law was challenged in 1998 by civil libertiesgroups, including EPIC, and in 2004 the Supreme Court upheld apreliminary injunction preventing the law's enforcement, claiming thatit was an overly restrictive to free speech. The Court then remanded thecase back down to the trial court for a full trial on the law'sconstitutionality.

As part of its fact-gathering for this trial, the Justice Department isattempting to show that less restrictive methods of keeping childrenfrom offensive material, such as web filters, are ineffective. How thesampling of URLs and search requests from Google will help in thiseffort is unclear, though it is possible that the vast amount of datasouth could be processed in a way that shows that searches caninadvertently return objectionable material.

Google is not the only company to have its records sought by the JusticeDepartment. Reports have indicated that Microsoft, Yahoo, and AOL havealso been subpoenaed, and have turned over similar information to thegovernment.

DOJ's Motion to Compel Google Documents (pdf):

Declaration of DOJ Attorney, with Correspondence Between DOJ and Google(pdf):

Declaration of DOJ Statistician Philip Stark (pdf):

EPIC's Child Online Protection Act (Ashcroft v. ACLU) Page:

[5] EPIC Comments on Junk Faxes, Preemption of State Law

In comments to the Federal Communications Commission, EPIC recommended aseries of protections to shield individuals against junk faxes. Thecomments were in response to a request for guidance in theimplementation of the Junk Fax Prevention Act (JFPA). That law, passedby Congress in 2005, actually made it easier for advertisers to sendjunk faxes by explicitly adding an "established business relationship"
exemption to the federal prohibition on sending fax advertising. Thisexemption, which junk faxers previously tried to create throughlitigation, allows businesses to send messages to their currentcustomers. If an individual makes any purchase or requests anyinformation from a business, she has created an "established businessrelationship."

The JFPA requires junk faxers to place an opt-out notice on the message,and to maintain a cost-free mechanism for individuals to opt out. EPIC'sspecified that the opt-out notice should appear at the top of the faxmessage, identify the sender of the message, and state that it was sentpursuant to the "established business relationship" exemption.

Under the JFPA, the business can harvest a customer's fax number fromsources where the customer voluntarily disseminated it. EPIC argued thatcompanies should not be able to use fax number directories or numberspublished on web sites to harvest fax numbers unless it is coupled witha statement that the holder of the number wishes to receive unsolicitedfax messages.

In separate comments, EPIC argued that the federal JFPA should notsupersede or "preempt" California's heightened protections against junkfaxes. In reaction to the passage of the JFPA, California legislatorsmoved quickly to protect state residents from junk faxes by requiringaffirmative consent from the recipient before businesses can sendmessages. EPIC argued that although junk faxers use interstatecommunications to send messages, California has a strong interest inregulating the practice.

EPIC Comments on the Junk Fax Prevention Act:

EPIC Comments on Preemption of State Junk Fax Laws:

EPIC Statement on the Junk Fax Prevention Act:

[6] News in Brief

Creation of National ID Card Will Be a Nightmare, Report ShowsState motor vehicle officials across the nation say it will be anightmare to implement the REAL ID Act, a law passed in May that willturn driver's licenses into national ID cards. A comprehensive surveyconcluded last August but recently obtained by the Associated Pressrevealed the costs of implementation have been vastly underestimated bythe government, which initially put the total price at $100 million.
According to the survey, Pennsylvania alone would spend $85 million onREAL ID.

American Association of Motor Vehicle Administrators' Report on the REALID Act (pdf):

EPIC's National ID Cards and REAL ID Act page:

U.S. Government to Test E-Passports in San FranciscoThe Department of Homeland Security has begun testing E-Passports at SanFrancisco International Airport. The E-Passports contain Radio FrequencyIdentification chips, which transmit information wirelessly. Testingconducted last year revealed that such E-Passports impede the inspectionprocess, according to documents recently obtained by EPIC under theFreedom of Information Act. EPIC has urged the agency to abandon the useof such technology in passports because of significant security andprivacy issues.

DHS Press Release Announcing the San Francisco Test:

EPIC's Comments to DHS About E-Passports, December 2005 (pdf):

EPIC's RFID page:

Survey: Americans Value Health Privacy, Have Security ConcernsSurvey results released on January 17 by Health Industry Insightsindicate that Americans are deeply concerned about the vulnerability oftheir medical records online. A third of all respondents indicated thatthe fear of their medical information being revealed on the Internet wasa reason they felt less comfortable sharing information with primarycare physicians. Nearly half (47%) who felt uncomfortable sharinginformation with their primary care doctors wanted control over whoaccesses their information. These results reinforce the need for privacyto be built into any health information technology system, such as theproposed national health IT network. EPIC and Patient Privacy Rightsare asking concerned citizens to sign an electronic petition demandingthat privacy rights be put back into healthcare law.

"I Want My Medical Privacy" Petition:

Patient Privacy Rights:

EPIC's Medical Privacy Page:

Apple Changes its iTunes in Response to Privacy ConcernsIn response to criticism from privacy and consumer advocates, Applerecently announced changes to the latest version of iTunes. Version6.0.2 originally enabled by default a feature known as the "MiniStore,"
which would report to Apple the track that a user was listening to anduse the information to serve advertising to the user's iTunes player.
Privacy advocates, including EPIC, noted that Apple had not disclosedthis practice to users, nor how Apple planned to store, share, orotherwise use the information. In response, Apple altered the program sothat the feature was off by default, and provided a clear warning tousers as to what information would be sent and that it would not bestored.

iTunes Privacy Policy:

ID Theft Tops List of Federal Trade Commission ComplaintsThe Federal Trade Commission recently released its annual report ofconsumer complaints about fraud and identity theft. As in previousyears, complaints about identity theft were by far the most common,accounting for 37 percent of the 686,683 complaints filed. Other commonareas for complaint included Internet auctions (12%), foreign moneyoffers (8%), catalog sales (8%), and lotteries (7%). Credit card fraudwas the most common form of reported identity theft, followed by phoneor utilities fraud, bank fraud, and employment fraud.

FTC Consumer Complaint Report (pdf):

EPIC's Identity Theft Page:

[7] EPIC Bookstore: Edmund J. Pankau, "Hide Your Assets and Disappear"

Edmund J. Pankau, Hide Your Assets and Disappear, A Step by Step Guideto Vanishing Without a Trace, 1999 Harper Collins

Books on "asset protection" always begin with some sort of reactionaryjustification for hiding one's money from others. Something about assetprotection requires one to clear their conscience. Sometimes it's thespecter of the IRS, often referred to as the "devil" in asset protectionbooks. Other times it's the deficit or anything to do with BillClinton. In Pankau's "Hide Your Assets and Disappear," it's thegood-for-nothing former spouse who's after your millions and prizedyacht. Did I mention that she performed a sexual favor for the judge,resulting in a lopsided marital settlement? Clearly, such an actionjustifies abandoning legal responses in favor of moving one's assets tofrustrate satisfaction of the settlement.

Once you're free from guilt, Pankau's advice can help you funnel moneyoutside the country, establish a new identity, and even leave falsetrails to mask your actual location. Pankau not only reviews thepopular havens for hiding, but gives the reader tools to evaluatewhether a country is still a good place to avoid the IRS and thatex-wife you married. Pankau emphasizes that if you want to disappear,you have to disappear. That means a lot of inconvenience. Andabsolutely no contact with family members or friends from your old life.
If you think you're ready for that, pick up Pankau's book.

Chris Jay Hoofnagle

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides anoverview of key privacy topics and reviews the state of privacy in over60 countries around the world. The report outlines legal protections,new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacyand data protection ever published.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed to learn how to litigate them), this is an essential referencemanual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism Prevention Act, and theCAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumers andthe basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although several governmentsare gaining new powers to combat the perceived threats of encryption tolaw enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Data Devolution: Corporate Information Security, Consumers and theFuture of Regulation. Fredric G. Levin College of Law, University ofFlorida. February 3-4, 2006. Gainesville, Florida. For more information:

Who Can You Trust?: Privacy and Security is Everyone's Responsibility.
Reboot Communications. February 9-10, 2006. Victoria, British Columbia,Canada. For more information:

IAPP National Summit. International Association of PrivacyProfessionals. Washington, DC. March 8-10, 2006. For more information:

Beyond the Basics: Advanced Legal Topics in Open Source andCollaborative Development in the Global Marketplace. University ofWashington School of Law. March 21, 2006. Seattle, Washington. For moreinformation:

Making PKI Easy to Use. National Institutes of Health. April 4-6, 2006.
Gaithersburg, Maryland. For more information:

First International Conference on Availability, Reliability andSecurity. Vienna University of Technology. April 20-22, 2006. Vienna,Austria. For more information:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC IrvineInstitute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

The First International Conference on Legal, Security and Privacy Issuesin IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For moreinformation:

Computers, Freedom, and Privacy Conference (CFP 2006). Association forComputing Machinery May 2-5, 2006. Washington, DC. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Oshawa, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback