WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2006 >> [2006] EPICAlert 7

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 13.07 [2006] EPICAlert 7


Volume 13.07 April 06, 2006

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
Table of Contents

[1] Federal, State Officials Object to Proposed IRS Rules
[2] Coalition Pushes for Privacy in Electronic Health Records
[3] Congress Continues to Scrutinize Warrantless Surveillance Program
[4] Federal Agency Finds Flaws in Government Use of Commercial Databases
[5] Report on Bank Privacy Notices Recommends Cosmetic Changes
[6] News in Brief
[7] EPIC Bookstore: Evan Hendricks's "Credit Scores and Credit Reports"

[8] Upcoming Conferences and Events

[1] Federal, State Officials Object to Proposed IRS Rules

Attorneys General from 46 states and the District of Columbia filed aformal objection to proposed IRS rules that would allow businesses toshare taxpayer information more easily for marketing and other purposes.
Senator Barack Obama and privacy organizations also opposed the rulechange.

In a letter to IRS Commissioner Mark Everson, Senator Obama expressedconcern that taxpayers often sign documents and tax forms prepared bytax preparers without reading them. Therefore, taxpayer consent for thedisclosure of their financial data could be less than voluntary. SenatorObama also has introduced a bill placing significant restrictions on thedisclosure of such sensitive financial information to third parties.

The attorneys general recommended a ban on sharing taxpayer information.
"We are greatly concerned that this regulation, if adopted as proposed,will erode consumer privacy and the security of sensitive personalinformation, with a consequent increase in such serious problems asidentity theft and intrusive or even abusive marketing practices," theysaid. The state officials also made several proposals for minimumsafeguards that would protect privacy and stem identity theft. Theseproposals are similar to ones submitted to the IRS in March by EPIC,Privacy Rights Clearinghouse and World Privacy Forum.

In the privacy organizations' comments, they said that, though "[t]heproposed changes to the regulations represent an important effort toincrease taxpayers' awareness of what is done with their personalinformation," there are problems that must be solved to ensure adequatetaxpayer privacy. "[T]he updated regulations fail to adequatelysafeguard taxpayer privacy because they neglect to protect informationonce it is disclosed, allow consent that is less than voluntary, andcarry penalties that are not harsh enough to ensure tax return preparersobey the law," the groups said.

EPIC's current Spotlight on Surveillance feature surveys other problemsat the IRS. In March, two government reports found that the agency haspoor physical and electronic security. In the Federal Computer SecurityReport Card for 2005, the Treasury Department received a D-minus grade,down from a D-plus grade in 2004. The majority of Treasury systems arethose belonging to IRS. The government-wide computer-security grade for2005 was D-plus, while Homeland Security and Defense both received an F.

Also, the Government Accountability Office reported that weaknesses ininformation security at the IRS "increase the risk that sensitivefinancial and taxpayer data will be inadequately protected againstdisclosure, modification, or loss, possibly without detection, and placeIRS operations at risk of disruption." Though the agency's computersecurity had improved since the last assessment a year ago, the GAOfound multiple security problems. These include: IRS's physical securitycontrols (restricting physical access to computer facilities andresources); software patch management; and electronic access controlssuch as passwords, user rights and file permissions. The IRS also hashad considerable trouble with its contractors improperly accessing andcollecting sensitive taxpayer data. In one case, an IRS contractor spentseveral months collecting political party affiliation data on taxpayersin 20 states, in violation of the law.Senator Obama's Bill Concerning IRS Disclosures:

Letter From Attorneys General (pdf):

Comments of EPIC, Privacy Rights Clearinghouse, and World Privacy Forumon Proposed Regulations:

Proposed IRS Regulations (pdf):

Spotlight on Surveillance March 2006:

[2] Coalition Pushes for Privacy in Electronic Health Records

A broad coalition of 26 organizations, led by Patient Privacy Rights,has issued a letter urging that privacy be included as a core part ofany health information technology (HIT) system. Patient Privacy Rightswas joined by the American Conservative Union, the American CivilLiberties Union, the Free Congress Foundation, the Christian Coalitionof America, and the Electronic Privacy Information Center in the letter.

Proponents of electronic access to health records argue that a HITsystem can ease medical treatment. For instance, patients who needtreatment when far from home will benefit if doctors can access theirmedical records. However, the organizations said that patients shouldhave the ability to grant or deny access to that information in ordinarycircumstances. "The proper balance to ensure timely access to medicalrecords for treatment and preserve patient control of medical recordsmeans allowing access in emergencies if consent cannot be obtained, butrequiring patient permission before records are disclosed in everydaysituations," the groups wrote.

The organizations also stressed the need for strong security measuresfor any HIT system. In light of the many security breaches reported bycommercial and financial institutions, security standards for a HITsystem must be stronger than those currently used by the financialservices industry.

The flexibility of an electronic system of health records should alsoallow patients to control the levels of access for different groups. Forinstance, while treating physicians may need access to personalinformation like names, addresses, and phone numbers, medicalresearchers conducting statistical studies would not need suchinformation.

Congress is currently considering several health information technologybills, each named the "Wired for Health Care Quality Act." LastNovember, the Senate passed S. 1418, which is awaiting action in theHouse. There are also two House companion bills, H.R. 4642 and H.R.

Patient Privacy Coalition Letter:

EPIC's Medical Privacy Page

Patient Privacy Rights

S. 1418:

H.R. 4642:

H.R. 4726:

[3] Congress Continues to Scrutinize Warrantless Surveillance Program

The Senate and House Judiciary Committees recently held three hearingsin which they continued to ask questions about the National SecurityAgency's controversial warrantless surveillance program.

Last week, the Senate Judiciary Committee held its third hearing on thesurveillance operation, focusing on the Foreign IntelligenceSurveillance Court and the extent of executive power during wartime. Thecommittee heard testimony from four judges who have served on thesecretive court, all of whom endorsed a bill proposed by Senator ArlenSpecter that would require the program to be subject to the court'soversight. Judge James Robertson, who resigned from the court shortlyafter the program became public, sent a letter to the committeeexpressing support for the bill.

Also testifying was David S. Kris, a former high-level official in theJustice Department. Documents obtained by EPIC in March through Freedomof Information Act litigation revealed Kris' skepticism that thesurveillance was permitted by the Authorization for Use of MilitaryForce Resolution. In one e-mail, Kris wrote that the JusticeDepartment's legal arguments for the program "had a slightlyafter-the-fact quality or feeling to them." During his testimony, Krissaid that he believes the program violates the Foreign IntelligenceSurveillance Act, and voiced support for legislation to govern theprogram.

Last week the Senate Judiciary Committee also held a hearing on SenatorRuss Feingold's resolution to censure President Bush for authorizing thesurveillance program. Members of the House Judiciary Committee alsopressed Attorney General Alberto Gonzales for answers about the programduring a Justice Department oversight hearing on April 5.

In related news, U.S. District Court Judge Henry H. Kennedy recentlygranted the Justice Department's motion for more time to processmaterial about the warrantless surveillance program in a Freedom ofInformation Act lawsuit pursued by EPIC, the ACLU and the NationalSecurity Archive. In February, Judge Kennedy ordered the agency toprocess and release documents related to the program by March 8. TheJustice Department released some unclassified material by the deadline,but relied on classified affidavits to press for four additional monthsto process other documents. Judge Kennedy has ordered the agency toprocess some records by early May, and all other material by early July.

S. 2453, National Security Surveillance Act of 2006:

EPIC's Domestic Surveillance FOIA page:

EPIC Feature: Resources on Domestic Surveillance:

[4] Federal Agency Finds Flaws in Government Use of Commercial Databases

The Government Accountability Office issued a report on April 4 statingthat government agencies and the private companies from which they buypersonal information often do not follow fair information practices inhandling individuals' data. Fair information practices are a set ofprinciples that ensure that individuals' personal information is handledin a way that protects privacy. The principles include collectionlimitation, which ensures that only necessary data is collected; purposespecification, meaning that individuals are informed of the reasons datais collected; and use limitation, which means that data is used only forthe purposes for which it was collected.

In the report, the GAO stated that the data brokers supplying governmentagencies with information are fundamentally at odds with fairinformation practices, as data brokers base their businesses uponmulti-purpose collection and use of personal information from multiplesources. Furthermore, the GAO reported that data brokers generally donot inform individuals that information is being collected about them,or give individuals the ability to access and correct information heldby the broker.

The agencies themselves also fall short in protecting privacy when usingcommercial data, since agencies frequently do not notify the public whencommercial databases are used to compile personal information intogovernment systems of records. The GAO also emphasized that governmentagencies lack consistent policies on how to treat data bought fromcommercial sources.

A representative from the Consumer Data Industry Association criticizedthe GAO report, noting that many data brokers are already regulatedunder the Fair Credit Reporting Act, and thus are obligated to obey fairinformation practices embodied in the Act. However, though many databrokers provide services regulated under federal laws, they will alsooffer parallel services designed so that the privacy laws do not apply.

GAO Report on Agency and Reseller Use of Personal Information (pdf):

House Judiciary Committee Hearing Notice:

[5] Report on Bank Privacy Notices Recommends Cosmetic Changes

Six federal agencies charged with enforcing financial privacy lawssponsored a report that detailed recommended changes to bank consumerprivacy notices. As part of their responsibilities, the agencies hired acommunications group to design a replacement for the often-confusingprivacy notices that banks must send to their customers under theGramm-Leach-Bliley Act.

The Kleimann Communication Group created a privacy notice incorporatinga more user-friendly design and a table outlining the various entitiesto whom a bank may disclose information. While the study focused on thereadability of the notice, it was not asked to address the more basicproblem of consumers being able to effectively control the uses of theirinformation. For instance, consumers indicated that they often could notchoose banks based on privacy policies, since factors like location andservices might require them to choose banks that had weaker privacypolicies.

The study also seemed to indicate that consumers were very concernedwith the level of information sharing currently allowed by federal laws.
Many test consumers incorrectly assumed that the information routinelyshared by banks, such as Social Security information, could not belegally shared. As test group consumers became more informed as to bankpolicies, they grew less trustful of the banks. Consumers across thecountry spontaneously raised the threat of identity theft and linkedincreased theft risk with increased sharing.

FTC Press Release on the Report:

Copy of the Notice Report (pdf):

EPIC's Gramm-Leach-Bliley Act Page:

[6] News in Brief

United Kingdom Passes Law Paving Way for National ID CardUK lawmakers approved a measure requiring Britons applying for passportsbefore January 2010 to get an identity card. A Briton can opt out, butif he does, he will be put into a national database. This is acompromise measure passed after five rejections of a bill that wouldhave made the cards mandatory for all residents of Britain. The cardswould store biometric data such as digital iris images or fingerprints.
A report by leading academics from the London School of Economics saidthat the ID scheme will be costly, inefficient, and easily subverted.

London School of Economics Report (pdf):

EPIC's National ID Cards and REAL ID Act page: Ends Effort to Withhold Images of Abu Ghraib AbuseThe Defense Department has dropped its challenge to a court decisionordering the release of photos and videos depicting American troopsabusing detainees at Abu Ghraib prison. According to an agreementreached by the Pentagon and ACLU, the Defense Department willauthenticate photos of abuse that have already been posted by,and disclose any additional images that are not yet public. The DefenseDepartment had refused to release the information under the Freedom ofInformation Act, claiming that such disclosure would "endanger the lifeor physical safety" of U.S. soldiers in Iraq. Last month, EPIC and theNational Security Archive filed a "friend of the court" brief in thecase, which argued that the government's claims undermine the Freedom ofInformation Act's purpose of promoting open, honest and accountablegovernment.

Amicus Brief Filed by EPIC and the National Security Archive (pdf):

District Court Decision in ACLU v. Department of Defense (pdf): Again Puts Off .xxx Domain DecisionThe Internet Corporation for Assigned Names and Numbers (ICANN) againdeclined to move toward creating a ".xxx" top-level domain for adultcontent. At its 25th International Meeting in Wellington, New Zealand,the company, which determines policy for assigning domain names toInternet protocol addresses, delayed the plan, ostensibly to addressconcerns that the company applying to administer the domain met certainrequirements. ICANN had "indefinitely" delayed decision on the .xxxdomain in December, and had rejected calls for the domain five yearsago. Some critics of the proposed domain feel it legitimizes theexistence of pornography, while free-speech advocates say that it wouldencourage censorship without preventing unwanted access to adultcontent.

ICANN home page: Just Google: ISPs, Software Companies Subpoenaed by Justice Dept.

Documents uncovered by InformationWeek and the New York Sun through theFreedom of Information Act reveal that the Justice Department demandedrecords from at least 34 other Internet companies and software producersin its attempts to defend the Child Online Protection Act, an Internetcensorship law blocked as unconstitutional by the Supreme Court in 2004.
Companies were told to provide demographic information about theirusers, the types of filtering software that they offered, and anystudies that evaluated the effectiveness of filters or the number ofpornographic sites on the Web. The Justice Department intende to usethis information to argue that filters are an ineffective alternative tothe Child Online Protection Act, which would make it a criminal offensefor anyone to post adult material on the web, unless the website firstcollects personal information proving that users are not minors.

InformationWeek's Archive of Justice Department Subpoenas:

EPIC's Child Online Protection Act Page: Testifies on CA Pretexting Legislation
Legislation that would impose a blanket ban on "pretexting" sailedthrough the California Senate Judiciary Committee yesterday. The bill,SB 1666, sponsored by Senator Bowen (D-Redondo Beach) would prohibit anyperson from using pretexting, soliciting pretexting services, or fromknowingly purchasing information obtained through pretexting. Intestimony before the Committee, EPIC argued that a broad ban onpretexting was necessary to address data brokers who use the practiceagainst automobile navigation companies, dating websites, and employers.

SB 1666:

EPIC Testimony on SB 1666:

EPIC Illegal Sale of Phone Records Page: Comments on Canadian Do-Not-Call Registry
Canadians will soon enjoy a telemarketing Do-Not-Call List, as thecountry's Radio-Television and Telecommunications Commission (CRTC) hasstarted a proceeding to tighten telemarketing regulations. EPIC providedcomments to the body, urging it to adopt a consumer-friendly approach tothe list. Specifically, EPIC argued that the Federal Trade Commission'sDo-Not-Call framework was a remarkable success because it covered allsectors of telemarketers (except non-profits and politicians), was freefor consumers, and was simple to sign up. EPIC argued that the CRTCshould remove a special-interest exemption for newspapers, and that anexemption for "established business relationships" exemption should benarrowed to fit consumers' expectations of when a transaction can giverise to telemarketing. Anyone may comment on the proceeding until May10, 2006
Canadian Radio-Television Do-Not-Call Page:

EPIC Comments on Canadian Do-Not-Call:, EFF Comment on San Francisco Wifi Proposals
EPIC and the Electronic Frontier Foundation have submitted an analysisof six proposals to provide San Francisco with wireless municipalbroadband. The proposals come in response to the city's "TechConnect"
initiative, which seeks to bridge the digital divide by providing allSan Franciscans with free or low-cost broadband. EPIC and EFF specifiedthat a privacy-friendly network would promote anonymity by allowingaccess without "signing in," by allowing a level of free access to avoididentification through payment, and by limiting targeting and profilingfor commercial purposes.

Privacy Analysis of the Competing Wifi Proposals:

[7] EPIC Bookstore: Evan Hendricks's "Credit Scores and Credit Reports"

Evan Hendricks. "Credit Scores and Credit Reports: How the SystemReally Works, What You Can Do" (Privacy Times, 2005).

"Whether we like it or not, the credit score is emerging as the mostimportant "number" in the financial lives of American consumers. TheFICO score is often the major factor in determining how much consumerspay for mortgages, refinancing, auto loans and credit cards, as well asfor auto or homeowners insurance.

Despite its importance, credit scoring began as a secret system, and hasbeen shrouded in mystery ever since. In addition, there is littleunderstanding of the credit reporting system, which holds financialhistories on 210 million Americans and is the source of data forcalculating credit scores. One problem: the credit reporting system hasa long history of inaccuracy.

Through careful research and precise writing, Credit Scores & CreditReports, allows consumers to understand how these systems actually work,and what they can do to improve their FICO scores. Importantly, the bookalso describes how the system sometimes doesn’t work, and how hundredsof thousands if not millions of consumers have been frustrated intheir efforts to correct errors in their credit reports."

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of informationprivacy law allows instructors to enliven their teaching of fundamentalconcepts by addressing both enduring and emerging controversies. TheSecond Edition addresses numerous rapidly developing areas of privacylaw, including: identity theft, government data mining,and electronicsurveillance law, the Foreign Intelligence Surveillance Act,intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundationfor an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides anoverview of key privacy topics and reviews the state of privacy in over60 countries around the world. The report outlines legal protections,new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacyand data protection ever published.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed to learn how to litigate them), this is an essential referencemanual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism Prevention Act, and theCAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

First International Conference on Availability, Reliability andSecurity. Vienna University of Technology. April 20-22, 2006. Vienna,Austria. For more information:

Third International Conference on Security in Pervasive Computing.
University of York. April 19-20, 2006. York, United Kingdom. For moreinformation:

Access to Knowledge Conference. Yale Information Society Project.
April 21-23, 2006. New Haven, Connecticut. For more information:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC IrvineInstitute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

The First International Conference on Legal, Security and Privacy Issuesin IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For moreinformation:

Computers, Freedom, and Privacy Conference (CFP 2006). Association forComputing Machinery May 2-5, 2006. Washington, DC. For more information:

Conference on Data Protection and Security: A Transnational Discussion.
International Association of Young Lawyers. May 5-6, 2006. Washington,DC. For more information:

Call for papers for the CRCS Workshop 2006: Data Surveillance andPrivacy Protection. Center for Research on Computation and Society. June3, 2006. Cambridge, Massachusetts. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. NewYork, New York. For more information:

34th Research Conference on Communication, Information, and InternetPolicy. Telecommunications Policy Research Conference. September29-October 1, 2006. Arlington, Virginia. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback