E P I C A l e r t
The State Department recently published a proposed rule in the Federal Register for the creation of the People Access Security Service (PASS) card, which would be used for "international travel by U.S. citizens through land or sea ports of entry between the United States, Canada, Mexico, the Caribbean, and Bermuda." If adopted as proposed, the PASS Card would include a long-range wireless technology that would create an increased security risk. This is a significant change from the previous system, where U.S. citizens would show a driver's license, birth certificate or nothing at all to cross the border.
The Intelligence Reform and Terrorism Prevention Act of 2004 mandated that, by January 2008, the departments of Homeland Security and State develop and implement a plan to require U.S. citizens and foreign nationals to present a passport or other documents to prove identity and citizenship when entering the United States from certain countries in North, Central or South America. This program is called the Western Hemisphere Travel Initiative, and accepted documents for U.S. citizens will be either a valid U.S. passport or the proposed PASS card.
The data on the PASS card would include the personal information currently displayed in passports, "bearer's facial image, full name, date and place of birth, passport card number, dates of validity and issuing authority." The card will "utilize Radio Frequency (RF) technology to store and transmit" a unique reference number to the border official so that she may access the traveler's information in a large federal database, "which could include additional information, for example, information about the bearer's membership in one of [Customs and Border Protection's] international trusted traveler programs," according to the State Department.
There are significant privacy and security risks associated with the use of RFID-enabled PASS cards to track the entry and exit of U.S. citizens, including clandestine tracking of individuals, "skimming," and "eavesdropping." Skimming occurs when information from an RFID chip is surreptitiously gathered by an unauthorized individual. Eavesdropping occurs when an individual intercepts data as it is read by an authorized RFID reader. In the absence of effective security techniques, RFID tags are remotely and secretly readable. The State Department said the PASS card would use "vicinity read technology" that "would allow the passport card data to be read at a distance of up to 20 feet from the reader." This longer distance increases the security risk, as unauthorized readers could be hidden a significant distance from the PASS cardholder.
Sen. Leahy co-sponsored, with Sen. Ted Stevens of Alaska, legislation to postpone implementation of the Western Hemisphere Travel Initiative until certain requirements are met. The legislation, recently passed, mandates that the departments of Homeland Security and State "ensure that the technology for any Passport Card (PASS Card) meets certain security standards - and that the National Institutes of Standards and Technology certify the technology chosen by DHS and State," Sen. Leahy said. Upon learning of the State Department's proposed rule for the PASS card technology, Sen. Leahy expressed disappointment. "This draft rule shows the importance of our reforms to improve the PASS Card system and to make these agencies more accountable.... Without even testing the technology for use as a passport or personal ID, they have chosen a weaker security standard that would make our borders less secure and that would risk the personal information of millions of Americans," he said. The public has until December 18 to comment on the proposed PASS card.
The European Union, which includes 25 member states, is also scrutinizing RFID technology. The increasing use of RFID technology "will raise tremendous challenges for sovereignty, individual liberties and economic independence. It will be necessary that citizens keep control of how the information concerning them is utilized and updated and how the tags can be deactivated," EU Information Society Commissioner Viviane Reding recently said at the EU RFID 2006 Conference. The European Commission is considering proposing legislation in 2007 to ensure privacy safeguards in the use of RFID technology.
State Department's Federal Register PASS Card Proposal:
EPIC's Spotlight on Surveillance: "Homeland Security PASS Card: Leave Home Without It":
http://www.epic.org/privacy/surveillance/spotlight/0806 Speech of Viviane Reding, Member of the European Commission responsible for Information Society and Media, "RFID: Why we need a European Policy" (pdf):
EPIC's Page on RFID:
All 19 federal departments and agencies have had incidents of lost or stolen personal data since 2003, according to a report released last week by the House Government Reform Committee. The nearly 800 incidents of data losses have affected millions of citizens.
In July, the committee asked all cabinet agencies, the Office of Personnel Management and the Social Security Administration to detail incidents involving the loss or compromise of any sensitive personal data held by an agency or a contractor since January 1, 2003. Most of the data losses have not been publicly reported, and the report said the "vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees."
The report said that the agencies often did not know what data was lost or how many individuals were affected. Also, "agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete."
The committee probed the question of data security after an information security breach in May by a Veterans Affairs employee resulted in the theft from his Maryland home of unencrypted data affecting 26.5 million veterans, active-duty personnel, and their family members. The laptop and an external hard drive containing unencrypted information were later found. But the recovery of the equipment came as newly discovered documents showed that Veterans Affairs had given permission in 2002 for the analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home.
Many commercial data security breaches also have occurred in the last year and a half. Data broker ChoicePoint revealed in February 2005 that it had sold information on about 400,000 people to identity thieves. A short time later, Bank of America misplaced back-up tapes containing detailed financial information on 1.2 million employees in the federal government, including many members of Congress. Lexis-Nexis made available records from its Seisint division on 32,000 Americans to a criminal ring that exploited passwords of legitimate account holders.
House Committee On Government Reform: "Staff Report: Agency Data Breaches Since January 1, 2003" (pdf):
EPIC's Page on ChoicePoint:
EPIC's Page on the Veterans Affairs Data Theft:
The European Union and the United States concluded a new deal on passenger name record on October 6, nearly a week after the deadline imposed by the European Court of Justice in voiding the previous accord. The 25 EU countries have given final approval to the deal, and it will remain valid until July 2007.
The agreement differs from the previous accord in several significant ways, according to EU Justice Commissioner Franco Frattini. The Department of Homeland Security no longer has the automatic right to pull data on travelers aboard U.S.-bound flight but instead must ask for the information. Moreover, the department may disclose the data to other US law enforcement agencies only if they adhere to similar standards of data protection. However, prominent EU politicians, including Sophie In't Veld, Rapporteur for the EU-US agreement on PNR, have questioned whether the agreement is worded to cloak increased access for American law enforcement in language that seems to comply with EU privacy laws.
As under the previous agreement, which had been in place since May 2004, passenger name records (PNRs) on travelers from Europe will be transmitted to the U.S. Department of Homeland Security within 15 minutes of a flight's departure. PNRs are data held by air carriers and travel agents collected during booking, and can include passenger travel dates, home and work addresses, payment details, members of the party and meal preferences. The minimum amount required for a travel booking is a name, contact information, and itinerary.
Since the European Court of Justice ruled in May that the agreement was illegal because it exceeded the scope of the 1995 EU Directive on data protection, the two sides have been engaged in high-level negotiations over the terms of a new accord. The Department of Homeland Security sought increased access to the passenger name records, including the right to share passenger data with other US government agencies. The European Union delegation was concerned that such use of citizens' data would violate European privacy laws.
Last month, the Transatlantic Consumer Dialogue (TACD), a coalition of US and EU consumer groups, wrote to US and EU officials, urging them to include privacy safeguards in air passenger data sharing agreements. The consumer groups requested that officials considering PNR sharing abide by three criteria. First, the agreement must respect the May 2006 European Court of Justice decision that PNR sharing agreements must have an adequate legal basis and be respectful of U.S. and EU privacy laws. Second, the U.S. and EU must conduct a study comparing the effectiveness of passenger profiling with other safety techniques. Third, the groups held that an annual report of PNR sharing must be published.
Council of the European Union Press Release adopting temporary PNR agreement:
http://www.consilium.europa.eu/ueDocs/newsWord/en/er/91308.doc Ruling of the European Court of Justice:
http://www.epic.org/redirect/ec_court_passenger.html EPIC's Privacy Law Sourcebook (containing the text of the EU Data Directive):
Text of TACD letter:
EPIC's Page on EU-US Airline Passenger Data Disclosures:
The Internet Corporation for Assigned Names and Numbers (ICANN), the group that sets Internet policies for domain names, has reached a new agreement with the Department of Commerce that may limit domain name owner privacy. The new agreement includes a provision that "ICANN shall continue to enforce existing policy relating to WHOIS, such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information."
ICANN is the corporation that manages the assignment of domain names (such as epic.org) to Internet Protocol addresses. Every person or company that registers a domain name is required to make certain information publicly accessible to a WHOIS lookup. This information includes the contact information for the domain name holder, including her mailing address, e-mail address, telephone number, and fax number. This same information has to be provided for the site's administrative contact and technical contact.
The Department of Commerce has argued in the past that all WHOIS information needs to be public and accurate. The department has complete control over the .us top-level domain, and in February of last year, it ordered that registrants of .us names must give their full, complete registration information and that they may not register a name through a proxy. In testimony before a subcommittee of the House Financial Services Committee this summer, the department argued that all WHOIS information should be required to be public and accurate.
At the same hearing, EPIC Executive Director Marc Rotenberg testified in support of ICANN's recent decision to limit WHOIS to providing technical contacts for resolving network issues. That formulation of WHOIS allows law enforcement and other authorized users to find owners of Web sites, but the general public only has access to technical information necessary for the functioning of the Internet. Rotenberg argued that a public WHOIS database could chill unpopular political speech as well as providing personal contact information to spammers and stalkers.
Joint Project Agreement between the Department of Commerce and ICANN (pdf):
EPIC's Testimony Before the Subcommittee on Financial Institutions and Consumer Credit. Committee on Financial Services (July 18, 2006) (pdf):
EPIC Amicus Brief in Peterson v. National Telecommunications and Information Administration supporting privacy for domain name owners (pdf):
EPIC's Page on WHOIS Privacy:
Documents showing that the Defense Department's collection of information on anti-war protests was far more extensive than previously thought were obtained under a Freedom of Information Act request by the American Civil Liberties Union. The documents show that the military officials labeled as "potential terrorist activities" events ranging from a “Stop the War Now” rally in Akron, Ohio to antiwar protests by Quakers. A Defense Department spokesperson said that "questionable data collection" had led to a tightening of the department's procedures so that only information that is relevant to terrorism and related threats is collected.
One protest was placed in the database after a Department of Homeland Security source received an e-mail from the American Friends Service Committee (a Quaker peace group) about protests that focusing on military recruitment offices with the goals of "raising awareness, education, visibility in community, visibility to recruiters as part of a national day of action." Other documents indicate that the Defense Department was particularly concerned with disruption to military recruiting and recruiters, though an internal report in May 2005 states: "no reported incidents have occurred at these protests."
The latest disclosure comes after the Defense Department's acknowledgment last year that it had maintained a database, known as TALON, on over 1,500 "suspicious incidents" around the United States in 2004 and 2005. The department admitted that it had maintained the information after it was determined that there was no threat from the protests and past the 90 days its guidelines provided for. The department also monitored student speech and e-mails at several universities across the country, tracking students involved in protesting military policies.
In addition to using TALON to monitor students, the Defense Department also has programs that focus on collecting student information. In May 2005, the Department announced that it was going to create a massive database for recruiting. The Pentagon's "Joint Advertising and Market Research" system combines student information, Social Security numbers, and information from state motor vehicle repositories into a unified database housed at a private direct marketing firm. In June 2005, EPIC and other privacy and consumer groups objected to the creation of the database, arguing that it violated the Privacy Act and was unnecessarily invasive. In addition, EPIC joined over 100 groups in sending a letter to Secretary of Defense Donald Rumsfeld protesting the database.
FOIA documents about the database obtained by the ACLU:
EPIC Memo on DOD Database (pdf):
http://www.epic.org/privacy/student/epic_dod_71505.pdf Coalition Letter to the DOD Criticizing JAMRS:
Government Report: Thousands Misidentified on Watch Lists
More than 30,000 have been mistakenly linked to names on terror watch lists when they crossed the border, boarded commercial airliners or were stopped for traffic violations, according to a report by the Government Accountability Office. The false positive problem - when a person who is not a suspect is mistakenly matched to a watch list - is difficult to fix. When Sen. Ted Kennedy was improperly matched, he could only resolve the problem with the help of then-Homeland Security Secretary Tom Ridge. The watch lists include 325,000 names of terrorism suspects or people suspected to aid them. This is more than quadruple the 75,000 names on the lists when they were created in 2003.
Government Accountability Office, "Terrorist Watch List Screening: Efforts to Help Reduce Adverse Effects on the Public GAO-06-1031" (Sept. 29, 2006) (pdf):
Colorado Governor Candidate Alleged to Abuse Database Access
Colorado governor candidate Bill Ritter has alleged that his opponent, Bob Beauprez, improperly accessed the FBI's National Criminal Information Center (NCIC) database to get data for a television ad. The database contains millions of records on criminal activity and is to be used for law enforcement purposes. The Ritter campaign claims that the Beauprez campaign used the database to investigate Ritter's performance as the former Denver District Attorney. Beauprez has denied any wrongdoing.
National Criminal Information Center:
Chicago Mayor: Surveillance Camera on Every Corner by 2016
Chicago Mayor Richard Daley said that he plans that by 2016, there will be a surveillance camera on every corner in the city. "We'll have more cameras than Washington, D.C. ... Our technology is more advanced than any other city in the world - even compared to London," he said. Chicago has more than 200 cameras, and Daley's Fiscal Year 2007 budget includes funds for 100 more cameras. Studies have repeatedly shown that cameras do not prevent crime. It is better to have police and better lighting than cameras. Detroit, Miami and Oakland all have abandoned their camera surveillance systems because they did not cut down on crime.
EPIC's Page on Video Surveillance:
MSNBC Report: 'Privacy Lost: No Secrets in the Digital Age'
News organization MSNBC is publishing a package on the loss of privacy in America. The topics include how technology and security affect privacy and how the U.S. and European Union laws differ. A Commentary by EPIC Executive Director Marc Rotenberg explains that legislators need more information before they can evaluate appropriately the NSA domestic surveillance wiretap program.
MSNBC Report: 'Privacy Lost: No Secrets in the Digital Age'
EPIC's Page on Domestic Surveillance:
GOP National Committee Mistakenly Releases Donors' Personal Data
The Republican National Committee erroneously e-mailed a list that contained the names, races, and Social Security numbers of dozens of top Republican donors to a reporter for the New York Sun. The incident raises questions about the security and privacy safeguards the committee has to protect the personal data of its donors. It also reiterates how easy it is for data collected to be distributed to large groups, even mistakenly.
Republican National Committee site:
"Digital Fortress" by Dan Brown (St. Martin's Press 2004).
In this novel, Dan Brown explores the world of NSA cryptography through a suspenseful plot that finds the NSA's secret, most effective code-breaking computer in the middle of a hostage situation. A former NSA employee has developed a code that the NSA, and all its brute-force technology cannot break. If the code were made accessible to the public, it would ostensibly cripple the U.S. intelligence efforts.
While this novel is a somewhat predictable, it delves into the debate as to whether national security necessitates the surrender of personal privacy in the United States. Although it is written from the viewpoint of the NSA, the author presents arguments, generally through sarcastic references to the Electronic Frontier Foundation, that the total erosion of the American people's privacy is not necessary to fight terrorism.
Dan Brown is also the author of "The Da Vinci Code" and "Angels and Demons."
-- Courtney Barclay
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November
2006. Markham, Ontario, Canada. For more information:
Companies Caught in the Middle: Legal Responses to Government Requests
for Customer Information. University of San Francisco. October
2006. San Francisco, California. For more information:
Internet Governance Forum (IGF) October 30-November 2, 2006. Athens,
Greece. For more information:
28th International Data Protection and Privacy Commissioners'
Conference. November 2-3, 2006. London, United Kingdom. For more
BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.