WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2006 >> [2006] EPICAlert 3

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 13.03 [2006] EPICAlert 3


Volume 13.03 February 10, 2006

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
Table of Contents

[1] FCC Grants EPIC Petition on Protecting Telephone Records
[2] EPIC Seeks Spy Documents in Federal Court
[3] EPIC Testifies Before Congress on Illegal Record Sales
[4] Secure Flight Placed on Standby
[5] Federal Budget Pumps Money Into Surveillance Projects
[6] News in Brief
[7] EPIC Bookstore: Robert Sherrill's "First Amendment Felon"

[8] Upcoming Conferences and Events

[1] FCC Grants EPIC Petition on Protecting Telephone Records

On February 10, the Federal Communications Commission announced a formalrulemaking to create rules strengthening the security of consumers'
phone records. This action grants EPIC's August 2005 petition, which wasfiled out of concerns that consumer records were too easily beingacquired and sold online. Data brokers are thought to obtain theinformation either by taking advantage of lax authentication methods(otherwise known as “pretexting”) or by bribing insiders forinformation.

"I am deeply concerned about reports of companies trafficking inpersonal telephone records," said Kevin Martin, Chairman of theCommission. Commissioner Jonathan Adelstein agreed, saying, "Telephonecompanies are required to have firewalls in place to protect consumers'
private information but instead these records are blazing all over theInternet."

The Commission is asking for comment addressing five specificrecommendations made by EPIC in its 2005 petition, including thecreation of consumer-set passwords; tracking who within the companiesviews and transfers customer data; encrypting consumer data; limitingthe information collected and retained; and notifying consumers when abreach of data has occurred.

Industry representatives were resistant to the idea of furtherregulation last year, but since then, major news coverage of thevulnerability of cell records has placed additional pressure oncommunications providers. At a hearing held before a Senatesubcommittee, industry spokesman Steve Largent admitted that bettertraining and baseline authentication standards were necessary to betterprotect consumers' records.

The FCC has taken additional action against poor security standards,recently fining AT&T and Alltel for failing to comply with existingsecurity rules. The Text of the proposed rulemaking should be availablenext week.

EPIC's Petition to the FCC:

FCC Press Release on Rulemaking:

EPIC's Illegal Sale of Phone Records Page:

[2] EPIC Seeks Spy Documents in Federal Court

This week, the Senate Judiciary Committee heard a full day of testimonyfrom Attorney General Alberto Gonzales on the National Security Agency'swarrantless surveillance program. The Attorney General reiteratedearlier Administration arguments about the purported legality of theprogram, but would not discuss operational details.

Despite repeated requests, the Administration has refused to provideCongress or the public with legal opinions or other documents concerningthe controversial program. Next Wednesday, the House JudiciaryCommittee will vote on resolutions that would direct the AttorneyGeneral to turn over materials related to the program to the House ofRepresentatives.

In a related development, U.S. District Judge Henry Kennedy heard oralarguments this morning on EPIC's request for an emergency orderrequiring the Justice Department to release documents about the programwithin 20 days. EPIC filed a Freedom of Information Act lawsuit againstthe agency last month, stating that the Justice Department agreed togive EPIC's Freedom of Information Act requests priority treatment, buthas failed to process them even within the FOIA's usual time limit oftwenty working days. The American Civil Liberties Union and NationalSecurity Archive have filed a similar lawsuit, which Judge Kennedyconsolidated with EPIC's case.

Though he has not yet ruled on EPIC's motion, Judge Kennedy suggestedthat a failure by the Justice Department to release the documentsquickly will cause irreparable harm to EPIC and the public. EPIC hasargued in court papers that such a failure would make it impossible forEPIC and the public to participate in the debate on the controversialprogram -- a debate which "cannot be based solely upon information thatthe Administration voluntarily chooses to disseminate."

Earlier this week, EPIC also filed a second FOIA lawsuit for documentsrelated to the program against the National Security Agency.

Transcript of the Senate Judiciary Committee Hearing on the NationalSecurity Agency's Warrantless Surveillance Program:

EPIC's Complaint Against the Justice Department (pdf):

EPIC's Motion for a Preliminary Injunction (pdf):

EPIC's Complaint Against the National Security Agency (pdf):

EPIC's NSA Warrantless Surveillance FOIA Page:

[3] EPIC Testifies Before Congress on Illegal Record Sales

Two Congressional committees held hearings this month on the illegalsale of consumers' communications records. EPIC Executive Director MarcRotenberg testified before both the House Energy and Commerce Committeeand the Senate Commerce Committee's Subcommittee on Consumer Affairs.
“A ban on the sale of these records will dry up the market for illegallyobtained records,” Rotenberg said.

EPIC also called for a end to “pretexting,” the major practice by whichdata brokers acquire consumer records. Pretexters will misrepresentthemselves, often posing as the customer, in order to gain access to thecustomer's records. “A ban on pretexting would make unmistakably clearthe fact that such practices are unfair, deceptive, illegal, and wrong,”
said Rotenberg.

Lawmakers were eager to take action against the sale oftelecommunications records, and already, two bills have been introducedin the Senate, and two in the House, to address the problem. At leasttwo more bills are expected to emerge in Congress soon. Some of thebills focus upon making the commercial sale of call information illegal,while others ban the pretexting of phone records.

However, privacy advocates indicated that these were only first steps insolving the problem. Robert Douglas, CEO of and aformer private investigator, indicated that more than just phone recordswere at stake, noting that pretexting is used to obtain a wide varietyof private consumer information. Some of this information includes theidentities of email account holders, P.O. Box owners, and the identitiesof those using online dating services.

EPIC also warned that the communications companies who hold theinformation must secure the information they collect, as well as tolimit the amount of information stored. Rotenberg emphasized that thosewho store consumer information have a responsibility. “The idea issimple: if you can't protect it, don't collect it,” he said.

EPIC Testimony Before House (pdf):

EPIC Testimony Before Senate:

EPIC's Illegal Sale of Phone Records Page:

Privacy Today Home Page:

[4] Secure Flight Placed on Standby

On February 9, the head of the Transportation Security Administrationtold a congressional committee that Secure Flight has been suspended fora comprehensive review of the program's information security measures.
Testimony from the General Accountability Office revealed that TSAapproved Secure Flight to become operational in September, despiteinconclusive risk assessments and 144 known security vulnerabilities.
"TSA may not have proper controls in place to protect sensitiveinformation," the GAO said.

The Secure Flight program was introduced a successor to thenow-abandoned second generation Computer Assisted Passenger PrescreeningSystem (CAPPS II). Many of the problems with CAPPS II that led to itsdemise continued to plague Secure Flight in its test phase. Thecontroversial program has been the focus of two governmentinvestigations and is conducting an internal audit of its procedures.
There is no deadline for the completion of the current audit.

EPIC has criticized the Secure Flight program in the past for secretlyobtaining passenger information in violation of federal privacy law, aswell as its initial efforts to use inaccurate commercial data in makingpassenger threat determinations.

In addition to criticizing Secure Flight's lack of privacy safeguardsand security vulnerabilities, the GAO also noted that the documentsunderlying the program "contained contradictory and missinginformation."

EPIC testified before a House committee in November 2005 about theRegistered Traveler program, a similar effort to profile airlinepassengers, and warned that there were significant problems with dataaccuracy, as well as ongoing concerns about the compliance with thePrivacy Act and the risk of mission creep.

GAO Report on Secure Flight (pdf):

EPIC's Secure Flight Page:

EPIC Testimony on Registered Traveler, Nov. 3, 2005 (pdf):

[5] Federal Budget Pumps Money Into Surveillance Projects

President Bush's proposed $2.77 trillion budget for Fiscal Year 2007increases spending on surveillance projects while making substantialcuts in education, housing, and farm programs. This is 2.3 percentincrease over projected spending for Fiscal Year 2006. President Bushhad requested $2.57 trillion, but spending is projected to total $2.71trillion.

The Department of Homeland Security has requested $42.7 billion, a 6percent increase from FY 2006. Of this, the US-VISIT border programwould receive $399.5 million, an increase of $62.9 million. Most of theincrease will go toward the expansion of US-VISIT's fingerprint system;
it will now capture all 10 fingerprints instead of two.

DHS's budget request also includes $3.96 million for the Office ofScreening Coordination and Operations. This amount is significantlylower than its $847 million request last year, reflecting the decisionnot to combine eight different screening programs under the office,instead funding each program separately. The current budget requeststates that the money will be used to set common standards forgovernment screening as well as for Registered Traveler screeningprograms run by private companies. Participants in the programs mustprovide iris scans and fingerprints and pass a background check by theTransportation Security Administration. It is unknown what percentage ofTSA's $6.3 billion request would pay for these background checks, whicheach cost $30 to $50. EPIC's October 2005 Spotlight on Surveillancereport found that Registered Traveler had significant security andprivacy problems.

However, several homeland security programs were apparently slated forcuts under the President's Management Agenda. In a speech earlier thisweek, President Bush explained the program: "We ask federal managers toachieve good results at reasonable costs, and we measure them. The pointis, is that if they can't prove they're achieving good results, then theprograms, in my judgment, ought to be eliminated and/or trimmed back."
Included in the list of programs that have been deemed "not performing"
are: Transportation Security Administration's Air Cargo SecurityPrograms, Baggage Screening Technology, Federal Air Marshal Service,Passenger Screening Technology programs, the Border Patrol, and theCoast Guard's Drug Interdiction program.

The Government Printing Office's Web page on the Fiscal Year 2007Budget:

Department of Homeland Security's Budget in Brief Fiscal Year 2007(pdf):

Government Web site listing "not performing" federal programs:

President Bush's Feb. 8, 2006 speech discussing 2007 budget:

[6] News in Brief

Focus on Medical Privacy Threats IntensifiesConsumer activists and health professionals alike are increasing theirfocus upon the threats that a national electronic health records systemmight have to patient privacy. Consumer Reports and Health ManagementTechnology have both published articles outlining the dangers of anational network implemented without any privacy protections, includinghealth information being shared with marketers or with employers, whocould take adverse action against employees based upon medical records.
Errors in medical records would also be more spread faster and fartherin an online environment. Those concerned about a national network beingbuilt without any privacy safeguards should sign the online petition

"I Want My Medical Privacy" Petition:

Patient Privacy Rights

Consumer Reports on Medical Privacy Threats:

Health Management Technology on the National Health Information Network:

Centers for Disease Control Urged to Limit Passenger Data CollectionEPIC said in comments to the Centers for Disease Control and Preventionthat it should limit a proposed rule that would require airline andshipping industries to gather passenger information, maintain itelectronically for at least 60 days, and release it to the CDC within 12hours of a request. EPIC urged the CDC collect only necessary data andto set strict security standards to keep passenger data secure fromunauthorized access and misuse. The CDC also should require the clearand open disclosure that travelers can refuse to submit theirinformation without facing penalties, EPIC said.

EPIC's Comments to the CDC (Jan. 30, 2006) (pdf):

The Proposed CDC Rule:

EPIC's Medical Privacy page:

Federal Appeals Court Upholds Travel ID RequirementA federal appeals court has dismissed a lawsuit about federal airportregulations requiring passengers to show identification before theyboard planes. John Gilmore, co-founder of the Electronic FrontierFoundation, sued the Bush administration, which claims that the IDrequirement is necessary for security but has not publicly identifiedany actual regulation requiring it. A unanimous three-judge panel saidthe policy did not violate due process because the law was not acriminal law, and passengers are fully informed about the policy. Thecourt also said that passengers have a "meaningful choice." A passenger"could have presented identification, submitted to a search, or left theairport," the court said.

Ninth Circuit Court of Appeals Opinion about Gilmore v. Gonzales (pdf):

EPIC's National ID and REAL ID Act page:

Key Privacy Concessions Gained in UK National ID PlansIn the United Kingdom, the House of Lords recently amended plans for anational ID card to include important privacy protections. According tothe amendments, the card would be voluntary, and not a requirement forUK residents. In addition, the government must conduct a study detailingthe cost of the scheme, and must provide adequate security for storeddata. While Home Office officials have agreed to conduct a study everysix months, they continue to oppose a voluntary ID. The legislation onthe national ID card returns to the House of Commons on February 13.

Privacy International on National ID Cards:

EPIC's National ID and REAL ID Page

Lawmakers Criticize Tech Companies' Speech Crackdown in ChinaMembers of Congress recently accused four major US Internet companies,Microsoft, Yahoo, Cisco Systems, and Google, of helping the Chinesegovernment block certain online information to its citizens by providingit with surveillance and filtering tools. Yahoo has been furthercriticized for its role in helping Chinese authorities identifydissidents who posted information on the Web through Yahoo. Two suchidentified dissidents were arrested and sentenced to prison terms of 8and 10 years. Chinese authorities strictly enforce laws that limitInternet use and censor specific information such as references todissidents. The four companies are scheduled to testify at hearingsbefore the U.S. House of Representatives on February 15.

Hearing Notice:

House Subcommittee on Africa, Global Human Rights, and International Operations:

EPIC's Free Speech Page:

Face and Fingerprints Swiped in Dutch Biometric Passport CrackA Dutch TV program recently revealed that the Dutch RFID-enabledbiometric passport was cracked in the summer of 2005 by smartcardsecurity specialist Riscure. Due to an poorly implemented encryption keyscheme, eavesdroppers could record the conversation between an RFIDreader and the passport and later decrypt the contents of theconversation. The passport holder's biometric data was decrypted on astandard PC in about 2 hours. Many other countries, including the UnitedStates, are moving ahead with plans to include RFID technology inpassports.

EPIC Resources on RFID:

Register Story on the Passport Hack:

Acxiom Proposed Massive Internet-Scanning SystemDocuments obtained by EPIC from the Department of Justice under theFreedom of Information Act show that commercial data broker Acxiomproposed a system to automatically scan the Internet and identifywebsites "belonging to advocates of extremist views and actions..." Theplan proposed to extract personal information from websites and use it“to establish possible connections between extremist groups" and tocollect data for an "Identity Verification System to be used byairlines, rental car agencies, and other business and governmentagencies." Prior releases of FOIA documents showed that Acxiom wasconsidered as a source of data for the Total Information Awarenessprogram. The $1,000,000 proposal was submitted to the Justice Departmentthrough Representative Vic Snyder (D-AR) on behalf of Acxiom andUniversity of Arkansas's Department of Computer Science. It is unclearwhether the proposal was ever funded.

Acxiom FOIA Documents (pdf):

EPIC Commercial Data Broker Page:

Verichip RFID Implant ClonedProgrammer Jonathan Westhues has recently proved that the Verichipimplantable RFID chip can be easily copied. Anybody capable ofpurchasing off the shelf electronics equipment and reading thedescription below can now impersonate the bearer of the chip and gainaccess to their medical records, among other things. As Verichip hasmarketed their chip as a means of managing access control to buildingsand medical records, this represents a significant threat to theirbearer's privacy and security.

For more information about the Verichip, see EPIC's Verichip Page:

Westhues' Page on How to Clone a Verichip:

[7] EPIC Bookstore: Robert Sherrill's "First Amendment Felon"

EPIC Bookstore: Robert Sherrill's “First Amendment Felon”

First Amendment Felon: The Story of Frank Wilkinson, His 132,000-PageFBI File, and His Epic Fight for Civil Rights and Liberties, NationBooks, 2005.

The story of Frank Wilkinson, who passed away just last month, is onethat needs to be told, in order to remind us that fear and politicalopportunism are often the greatest threats to free speech. RobertSherrill's account of Wilkinson's various struggles with J. EdgarHoover's FBI and with the House Un-American Activities Committeeprovides just such a pertinent reminder. When called before HUAC in1958, Wilkinson refused to answer questions about his politicalaffiliations, citing not the Fifth Amendment, but the First. When helost his Supreme Court appeal in 1961, he was jailed for nine months forcontempt of Congress. Upon his release, he campaigned for the abolitionof HUAC, finally succeeding in 1975.

Sherrill's book provides wide-ranging and vivid context for its subject,covering Wilkinson's college years through his 1975 vindication, but theauthor's perspectives and allegiances are clear. This does not, however,diminish the facts of Wilkinson's defiance. Make no mistake
this is apolitical book, written with an eye on the parallels between theclimates of suspicion both then and now.

Sherwin Siy

EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides anoverview of key privacy topics and reviews the state of privacy in over60 countries around the world. The report outlines legal protections,new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacyand data protection ever published.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed to learn how to litigate them), this is an essential referencemanual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism Prevention Act, and theCAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumers andthe basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although several governmentsare gaining new powers to combat the perceived threats of encryption tolaw enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Call for papers for the Workshop on Generating Collaborative Research inthe Ethical Design of Surveillance Infrastructures. The deadline forproposals is March 1, 2006. For more information:

IAPP National Summit. International Association of PrivacyProfessionals. Washington, DC. March 8-10, 2006. For more information:

Call for papers for the 34th Research Conference on Communication,Information, and Internet Policy. Telecommunications Policy ResearchConference. Proposals should be based on current theoretical orempirical research relevant to communication and information policy, andmay be from any disciplinary perspective. Deadline is March 31, 2006.
For more information:

Beyond the Basics: Advanced Legal Topics in Open Source andCollaborative Development in the Global Marketplace. University ofWashington School of Law. March 21, 2006. Seattle, Washington. For moreinformation:

Making PKI Easy to Use. National Institutes of Health. April 4-6, 2006.
Gaithersburg, Maryland. For more information:

First International Conference on Availability, Reliability andSecurity. Vienna University of Technology. April 20-22, 2006. Vienna,Austria. For more information:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC IrvineInstitute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

The First International Conference on Legal, Security and Privacy Issuesin IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For moreinformation:

Computers, Freedom, and Privacy Conference (CFP 2006). Association forComputing Machinery May 2-5, 2006. Washington, DC. For more information:

34th Research Conference on Communication, Information, and InternetPolicy. Telecommunications Policy Research Conference. September29-October 1, 2006. Arlington, Virginia. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Oshawa, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback