E P I C A l e r t
The Department of Homeland Security has extended until Friday, December 29 the deadline for public comments for the "Automated Targeting System," a federal database that creates secret, terrorist ratings on tens of millions of American citizens. The legality of traveler profiling system is in question. Rep. Bennie Thompson (D-MS) said that "serious concerns have arisen that, with respect to U.S. citizens and possibly lawful permanent aliens, some elements of ATS as practiced may constitute violations of privacy or civil rights."
The Automated Targeting System was originally established to assess cargo that may pose a threat to the United States, but DHS proposes to use the system to establish a secret terrorism risk profile for millions of peoples. Simultaneously, DHS is seeking to remove Privacy Act safeguards for the database. The Automated Targeting System's terrorist risk profiles will be secret, unreviewable, and maintained by the government for 40 years. The profiles will determine whether individuals will be subject to invasive searches of their persons or belongings, and whether U.S. citizens will be permitted to enter or exit the country.
The Identity Project submitted comments stating that ATS is prohibited by Section 514(e) of the 2007 Homeland Security Appropriations Act. The section reads, "None of the funds provided in this or previous appropriations Acts may be utilized to develop or test algorithms assigning risk to passengers whose names are not on Government watch lists." Previous DHS appropriations acts have similar provisions. An agency spokesman said the language in the appropriations bill does not cover ATS and insisted the program is legal.
EPIC, 29 organizations and 16 privacy and technology experts filed comments highlighting privacy and security risks inherent in ATS and urging the agency to suspend the program and to fully enforce Privacy Act obligations. The problems of the Automated Targeting System are described in the current EPIC Spotlight on Surveillance.
Submit comments on the Automated Targeting System here:
Department of Homeland Security, Notice of Privacy Act system of records, 71 Fed. Reg. 64543 (Nov. 2, 2006):
http://edocket.access.gpo.gov/2006/06-9026.htm Comments of the Identity Project on ATS (pdf):
Comments of EPIC, 29 organizations and 16 privacy and technology experts on ATS (pdf):
EPIC's October 2006 Spotlight: "Customs & Border Protection's Automated System Targets U.S. Citizens":
EPIC's page on the Automated Targeting System:
In the last days of the session, Congress passed the Law Enforcement and Phone Privacy Protection Act. The bill, which will become law once signed by President Bush, creates federal criminal penalties for "pretexters" who access telephone records -- including voice-over-IP calling records. In "pretexting," a person pretends to be someone else in order to access his records.
The Law Enforcement and Phone Privacy Protection Act prohibits accessing phone records by making false and fraudulent representations, using false documents, or accessing the records online by fraud. The bill also targets data brokers that are in the business of selling pretexted telephone records. Lastly, individuals who receive or purchase telephone records are also punished. The bill does not place any restrictions or duties upon telephone companies holding the data, such as limitations on data retention or the creation of privacy safeguards.
The bill provides an exemption for law enforcement; this means that law enforcement officials can bypass the judicial subpoena process and use false and fraudulent representations to gain access to the telephone records of individuals. The bill does not preempt state laws; therefore, states can still impose greater penalties on phone record sales, or use other legal tools to stop pretexting.
In testimony before both the House and the Senate earlier this year, EPIC stated that private records being bought and sold in the public market present serious risks to victims of domestic violence and stalking, and that there is no reason why an individual should be able to obtain these records through pretexting, or outside of existing legal process. EPIC opposed any exemptions to a ban on pretexting, because routine procedures under the law, such as warrants and subpoena powers, exist for legitimate investigations.
The bill does not criminalize pretexting of personal records other than phone records. Data brokers also trade in other personal information, such as the identities of users of online dating services, or location information. In the case of Amy Boyer, her stalker, Liam Youens, identified her work location by hiring an investigator who used pretexting. Youens went to her workplace, killed Boyer and then himself. Such use of pretexting would not be prohibited by this bill.
Last summer, Hewlett-Packard's use of pretexting as an investigative tool resulted in the renewed interest in regulating this activity. This week, Hewlett-Packard settled a civil suit filed by the California Attorney General over its use of pretexting of reporters' and board members' telephone records. In the settlement, the company promised to make corporate governance reforms and pay $14 million into a state fund. The fund will be used to investigate privacy and intellectual property piracy investigations.
EPIC's page on the Illegal Sale of Phone Records:
EPIC testimony before the Senate Committee on Commerce, Science, and Transportation Subcommittee on Consumer Affairs, Product Safety, and Insurance at a hearing on "Protecting Consumers' Phone Records" (Feb. 2006):
EPIC testimony before the House Committee on Energy and Commerce at a hearing on "Phone Records for Sale: Why Aren't Phone Records Safe From Pretexting?" (Feb. 2006) (pdf):
Law Enforcement and Phone Privacy Protection Act (the final bill is version 4):
California Attorney General's Statement on Hewlett-Packard Settlement:
EPIC's page on the Amy Boyer case, including an amicus brief filed by EPIC:
Sen. Daniel Akaka (D-HI) and Sen. John Sununu (R-NH) introduced legislation on December 8 to repeal Title II of the REAL ID Act of 2005, which mandates federal identification standards and requires that state DMVs collect sensitive personal information. Congress passed REAL ID without a hearing even though legislators in both parties urged debate. The senators said they believe REAL ID "places an unrealistic and unfunded burden on state governments and erodes Americans' civil liberties and privacy rights." The National Conference of State Legislatures had released a report estimating REAL ID's cost to the states would be more than $11 billion over five years.
The Identification Security Enhancement Act (ISEA), S. 4117 replaces REAL ID with language from the act it repealed, the Intelligence Reform and Terrorism Prevention Act of 2004. That act included "carefully crafted language -- bipartisan language -- to establish standards for States issuing driver's licenses," said Sen. Richard Durbin (D-IL). The Identification Security Enhancement Act requires that new guidelines for driver's licenses and identification cards be developed by a shared rulemaking process involving federal officials, state governments and privacy experts.
ISEA also includes strong security and privacy protections that were not in the 2004 law. ISEA requires that states confiscate licenses and ID cards "if any component or security feature" of the cards is compromised. However, there is not a breach notice requirement -- if the security of the database or card is compromised, then each individual affected should receive notice.
ISEA also requires "procedures and requirements to protect the federal and state constitutional rights and civil liberties of individuals who apply for and hold” licenses and ID cards. The act will not preempt any stronger state legislation that is more protective of privacy. The act provides individuals with administrative rights to access and correction of their records; however, it does not prohibit the exemption of the database from Privacy Act of 1974 requirements ensuring judicial rights to access and correction.
One similarity between ISEA and the REAL ID Act contains a significant privacy risk. REAL ID requires licenses and ID cards display a person's "address of legal residence," while ISEA requires a person's "address of principal residence." Currently, domestic violence victims are allowed to list P.O. boxes or other addresses to protect their privacy. Including such alternatives in ISEA would combat the substantial privacy risk to such individuals.
The Identification Security Enhancement Act (S. 4117):
The REAL ID Act of 2005 (Pub. L. 109-13):
EPIC's page on National ID Cards and REAL ID Act:
EPIC's Domestic Violence and Privacy Project:
The Technical Guidelines Development Committee (TGDC) adopted a resolution that would prevent future voting systems from relying solely on the correctness of their software to determine the accuracy of elections. The significance of the resolution is to require the adoption of better techniques to verify the accuracy of elections. The resolution, offered by a member of TGDC's Security and Transparency Subcommittee, was based in part on the work done by National Institute of Standards and Technology (NIST) staff, which provides technical assistance to the TGDC as it prepares draft recommendations for the 2007 voting system guidelines.
The NIST paper explained the concept of "software independence" as a state wherein "an undetected change or error in software cannot cause an undetectable change or error in an election outcome." Dr. William Jeffrey, chair of the TGDC, explained that the resolution requires that the accuracy of a system's electronic records be able to be independently audited against a voter-verified record. The only systems that do this currently are paper-based, such as optical scan systems; however, the resolution does not preclude paperless systems from meeting the standard in the future.
The TGDC voted on the recommendation during its December 4-5 meeting. The TGDC is the technical advisory committee to the Election Assistance Commission created by the Help America Vote Act. The TGDC is chaired by the Director of NIST, and is responsible for the development of recommendations on electronic voting system standards. The first document produced by this process resulted in the 2005 Voluntary Voting System Guidelines.
Technical Guidelines Development Committee:
National Institute for Standards and Technology's HAVA Work:
NIST Paper: Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC (pdf):
Resolutions Adopted by the TGDC (pdf):
Election Assistance Commission
Testimony of NIST Director before the Election Assistance Commission (pdf):
National Committee for Voting Integrity:
On December 9, Congress passed S.1608, the "Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers Beyond Borders Act of 2006" (U.S. SAFE WEB Act of 2006). The U.S. SAFE WEB Act amends the Federal Trade Commission Act to bolster the Federal Trade Commission's efforts to protect consumers, specifically to combat spam, spyware, and Internet fraud and deception.
Provisions of the legislation authorize the FTC to share information with criminal authorities, which will improve information sharing with foreign agencies that treat consumer fraud and deception as a criminal law enforcement issue. The legislation also permits the FTC to work with the Department of Justice to increase the resources relating to FTC-related foreign litigation, such as freezing foreign assets and enforcing U.S. court judgments abroad.
A previous bill, titled the International Consumer Protection Act of 2003 (S.1234), similarly attempted to expand the powers of the FTC to share information about cross-border fraud. In testimony given on September 17, 2003, EPIC supported the passage of legislation that enables the FTC to work more closely with consumer protection agencies in other countries to safeguard the interests of consumer and user of online services, but said that provisions in the bill that reduce privacy safeguards, limit government oversight, and diminish legal safeguards should be removed.
The U.S. SAFE WEB Act is a marked improvement over the 2003 bill, and addresses many of the privacy issues raised by EPIC. It contains an improvement in government oversight from the previous bill, requiring a detailed report to Congress within three years of passage. The U.S. SAFE WEB Act also removed a provision which exempted information or material voluntarily provided relevant to possible unfair or deceptive acts or practices from the disclosure requirements of the Freedom of Information Act. The receipt of foreign information remains exempt from Freedom of Information Act disclosure.
While a provision was added to limit sharing of information to offenses that are covered by mutual legal assistance treaties, the U.S. SAFE WEB Act did not remove a provision that would allow investigations "without requiring that the conduct identified in the request constitute a violation of the laws of the United States."
U.S. SAFE WEB Act:
Summary of the U.S. SAFE WEB Act (pdf):
http://www.ftc.gov/reports/ussafeweb/Summary of US SAFE WEB Act.pdf
EPIC testimony before the House Committee on Energy and Commerce on the International Consumer Protection Act of 2003:
EPIC testimony before the Senate Committee on Commerce, Science and Transportation on the International Consumer Protection Act of 2003:
December 10 Marked International Human Rights Day
On Sunday, the world marked Human Rights Day, which commemorates the day United Nations General Assembly adopted the Universal Declaration of Human Rights: December 10, 1948. Territorial and communications privacy is specifically protected in Article 12 of the Declaration, which states, "No one should be subjected to arbitrary interference with his privacy, family home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interference or attacks." Nearly every country in the world includes a right of privacy in its constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written constitutions include specific rights to access and control one's personal information. In many of the countries where privacy is not explicitly recognized in the constitution, the courts have found that right in other provisions or in international agreements that have been adopted into law.
UN Declaration of Human Rights:
Human Rights Day 2006:
Privacy and Human Rights 2005:
Government to Release Report Criticizing RFID Use in IDs
A revised version of a report from the Department of Homeland Security Data Privacy and Integrity Advisory Committee will soon be released to the public. This version tones down language in the original draft but both reports conclude that radio frequency identification technology has a myriad of privacy and security vulnerabilities, especially in the context of ID documents. The draft report said, "RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity." EPIC has previously explained that, in the absence of effective security techniques, RFID tags are remotely and secretly readable, which create significant security problems.
Department of Homeland Security Data Privacy and Integrity Advisory Committee: DRAFT: The Use of RFID for Human Identification (pdf):
EPIC's page on RFID:
Massive Security Breach at UCLA Puts 800,000 at Risk
One or more hackers have gained access to a UCLA database containing personal data on about 800,000 of the university's current and former students, faculty and staff members. UCLA officials said the database had records containing individuals' names, Social Security numbers and birth dates. This is just the latest in a string of security breaches that exposed personal data. A number of federal data breach bills were proposed in Congress this year, though few implemented all of the proposals urged by state governments and consumer groups. At least 33 states already have data breach notification laws.
Press Release, UCLA Warns of Unauthorized Access to Restricted Database:
ID Theft Prevention Tips for Veterans from Privacy Rights Clearinghouse:
Report: Data Mining Costly, Ineffective, Violates Liberties
In a new report, "Effective Counter-Terrorism and the Limited Role of Predictive Data Mining," Jim Harper, director of information policy studies at the Cato Institute, and Jeff Jonas, engineer and chief scientist with IBM's Entity Analytic Solutions Group, explain that data mining is costly, ineffective, and a violation of fundamental liberties. In data mining, the government analyzes private data from large numbers of people. Data mining is ineffective, the "statistical likelihood of false positives is so high that predictive data mining will inevitably waste resources and threaten civil liberties," according to the report. The government is facing opposition from groups protesting its use of data mining in Homeland Security's "Automated Targeting System," a federal database that creates secret terrorist ratings on tens of millions of American citizens. The public has until Friday, December 29 to comment on the program.
Jeff Jonas and Jim Harper, Policy Analysis: Effective Counterterrorism and the Limited Role of Predictive Data Mining:
Comments of EPIC, 29 organizations and 16 privacy and technology experts (pdf):
Submit comments on the Automated Targeting System here:
Phoenix Airport to Use 'Backscatter X-Ray' on Travelers
Sky Harbor International Airport located in Phoenix, Ariz. announced that it will be field testing a new "backscatter X-ray" system intended to screen passengers before boarding airplanes. This method of screening passengers would reveal not only prohibited items but also medical details such as prosthetic devices and old injuries. The $100,000 refrigerator-size machines use "backscatter" technology, which bounces low-radiation X-rays off of a passenger to produce photo-quality images of metal, plastic and organic materials underneath clothes. The fact that the machines have the capacity to record and store images raises questions about secondary uses of the data.
EPIC's June 2005 Spotlight on Surveillance about backscatter X-ray machines:
EPIC's page on Backscatter X-Ray Screening Technology:
Malaysia to Put RFID Chips in License Plates
Malaysia's government will embed license plates with radio frequency identification (RFID) chips containing information about the vehicle and its owner. Touted as an anti-theft device, the government says that with the chips, officials can scan cars and identify stolen vehicles. The license plates will transmit data at a range of up to 100 meters and have a battery life of up to 10 years.
EPIC's page on RFID:
"Security in Computing" by Charles P. Pfleeger & Shari Lawrence Pfleeger (Prentice Hall PTR 2006).
"A sweeping revision of the classic computer security text. This book provides end-to-end, detailed coverage of the state of the art in all aspects of computer security. Starting with a clear, in-depth review of cryptography, it also covers specific options for securing software and data against malicious code and intruders; the special challenges of securing networks and distributed systems; firewalls; ways to administer security on personal computers and UNIX systems; analyzing security risks and benefits; and the legal and ethical issues surrounding computer security."
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.