E P I C A l e r t
In comments to the Federal Identity Theft Task Force, EPIC said that addressing the problem of identity theft requires strong preventative measures and meaningful privacy rights for individuals. Identity theft is a major threat to consumers, costing the economy 50 billion dollars a year. The President created the Identity Theft Task Force in 2006 to develop recommendations on the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution.
The Task Force published Interim Recommendations that propose a set of reforms aiming to limit the use of social security numbers, improve authentication methods, and support victim recovery. The Task Force requested comments prior to its concluding report.
EPIC stated in its comments that a scheme that requires the collection of additional personal information with which to identify consumers would only lure identity thieves by creating databases of high value as well as further impairing victim recovery. Instead, EPIC submitted that an effective approach should address the root causes of identity theft: excessive data collection and lax security practices. EPIC urged that the task force promote responsible data collection practices, minimize the amount of data collected, require security for personal data warehouses and give consumers rights in the personal data that others hold.
EPIC concluded that minimizing the risk of identity theft is most effectively achieved by attaching costs to the collection and retention of personal data. This internalization can be brought about by comprehensive data security regulation and the use of privacy enhancing technologies that would minimize or eliminate the collection of personally identifiable information. EPIC further urged the Task Force to act upon the comments in order to protect the privacy, identity and economic livelihoods of American consumers. The public comment period is now closed, and the Task Force's concluding report is soon to be submitted to the President.
President's Identity Theft Task Force: http://www.ftc.gov/bcp/edu/microsites/idtheft/
ID Theft Task Force Interim Recommendations (pdf): http://www.ftc.gov/os/2006/09/060916interimrecommend.pdf
EPIC's page on Identity Theft: http://www.epic.org/privacy/idtheft/
EPIC's Comments on Identity Theft (pdf): http://www.epic.org/privacy/idtheft/EPIC_FTC_ID_Theft_Comments.pdf
In a statement at the National Institutes of Health, President Bush called on Congress to pass legislation to protect genetic privacy, so that "medical research can go forward without an individual fearing personal discrimination". A genetic privacy bill, which passed the Senate in 2003 but died in the House, was reintroduced as the "Genetic Information Nondiscrimination Act of 2007" in the House on January 16.
The bill states that Congress finds that as advances in genetics open new opportunities for medical progress, these advances will also give rise to the potential misuse of genetic information to discriminate, particularly in the areas of health insurance and employment. The bill seeks to establish a national standard to prohibit genetic discrimination by health insurance providers and employers. Under the bill, these entities cannot require genetic testing, cannot determine premiums or eligibility for insurance or employment based on genetic information, and are limited in their collection and use of genetic information.
In the health insurance context, the bill prevents the collection of genetic information by group health plans and health insurance issuers, as well as requiring conformance with pre-existing confidentiality standards. The genetic information protected extends to the individually-identifiable genetic information of individuals and his or her family members, and includes information about requests for or receipt of genetic services.
The bill also prohibits employment discrimination on the basis of genetic information, making it unlawful for employers to use genetic information to refuse to hire, discharge or discriminate against any employee. Employers are also prohibited from collecting genetic information on employees. Exceptions exist for inadvertent collection, employer health or genetic services with employee consent, employer purchase of commercially and public available documents that do not include medical databases or court records, and genetic monitoring of biological effects of toxic substances in the workplace. Importantly, any information collected under these exceptions may not violate employment discrimination and confidentiality of genetic information.
EPIC has filed several amicus briefs in several cases in which it has argued for stronger privacy protection for genetic information.
White House News and Policies: Press Release http://www.whitehouse.gov/news/releases/2007/01/20070117-1.html
H.R. 493, the Genetic Information Nondiscrimination Act of 2007: http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00493:
EPIC's page on genetic privacy: http://www.epic.org/privacy/genetic/
This week the Bush administration said that it would no longer rely on Presidential authorization for the warrantless monitoring of American citizens in the United States. The controversial program, run by the National Security Agency, was secretly approved by President Bush following 9/11. For more than a year the administration defended the legality of the domestic surveillance program and contested the possibility of court oversight.
According to the White House, the program monitors international telephone and e-mail communications of individuals in the U.S. who are suspected of having links to terrorist groups. While proponents of warrantless eavesdropping claim it does not infringe on legitimate privacy rights and is a vital tool in the fight against terrorists, opponents state that the eavesdropping program gives the government far too much power with virtually no oversight, authorizing email and telephone intercepts by U.S. intelligence officers without the involvement of any court or judge. A number of privacy advocates have declared the warrantless eavesdropping illegal.
Attorney General Alberto Gonzales told the leaders of the Senate Judiciary Committee on January 17 that the Foreign Intelligence Surveillance Court, created by the Foreign Intelligence Surveillance Act (FISA) of 1978 in response to intelligence-gathering abuses that arose in the Vietnam War era, will supervise the government's clandestine eavesdropping operations from now on. The court will oversee eavesdropping on telephone calls and e-mails to and from the United States when there is probable cause to believe that one of the parties is a member of a terrorist group.
White House and Justice officials asserted that the President was not retreating from his stance that he has the constitutional and legislative authority to order warrantless surveillance on international calls, but that he is satisfied that the FISA process can move quickly in order to authorize necessary surveillance.
Many remain critical of yesterday's announcement, indicating that while a move from warrantless surveillance to secret court oversight was a positive step, it does little to increase the transparency of government surveillance for the American public, nor does the new plan address the legality of the government's actions under the Domestic Surveillance Program over the past four and a half years.
Letter from Attorney General Gonzales to Senators Leahy and Specter (pdf): http://www.epic.org/redirect/agltr12407.html
EPIC Spotlight on Surveillance: http://www.epic.org/privacy/surveillance/spotlight/0106/
EPIC's page on Foreign Intelligence Surveillance Act: http://www.epic.org/privacy/terrorism/fisa/
The Department of Homeland Security recently announced that it will launch the Traveler Redress Inquiry Program on February 20, 2007. DHS described the program as "a central gateway to address watch list misidentification issues, situations where individuals believe they have faced screening problems at immigration points of entry, or have been unfairly or incorrectly delayed, denied boarding or identified for additional screening at our nation's transportation hubs." There are significant problems with the current redress process for travelers mistakenly matched to watch lists, but EPIC's Spotlight on Surveillance report explains that this system does not solve them.
The Transportation Security Administration (TSA) administers two lists of names of individuals suspected of posing "a risk of air piracy or terrorism or a threat to airline or passenger safety": a "no fly" list and a "selectee" list. The lists are sent to the airlines, which run passenger names against the lists. When a passenger checks in for a flight, he may be labeled a threat if his name matches an entry on one of the watch lists, even if he is not the person actually on the list. A match to the "no fly" list requires the airline to notify TSA and to call a law enforcement officer to detain and question the passenger. In the case of a Selectee, an "S" or special mark is printed on the individual's boarding pass and the person receives additional security screening. Customs and Border Protection also uses the lists to screen travelers.
There have been myriad stories about mistakes associated with the watch lists, with sometimes chilling results. An April 2006 report by the Department of Homeland Security's Privacy Office on the impact of the watch lists explained that "individuals who are mistakenly put on watch lists or who are misidentified as being on these lists can potentially face consequences ranging from inconvenience and delay to loss of liberty." The report described complaints "alleg[ing] misconduct or disrespect by airline, law enforcement, TSA or CBP officials" toward people mistakenly matched. According to the Privacy Office, "Some complaints alleged that officers […] told another traveler that he and his wife and children were subjected to body searches because he was born in Iraq, is Arab, and Muslim."
The watch lists, which the National Counterterrorism Center says include 325,000 names, are rife with mistakes and "false positives". In December 2005, the director of TSA's redress office revealed that more than 30,000 people who are not terrorists have asked TSA to remove their names from the lists since September 11, 2001. Earlier this month, the head of TSA said that the watch lists were being reviewed, and he expected to cut the list of names in half.
The watch list errors and "false positive" problems arise currently not because there are three agencies processing redress requests, but because the records themselves are not subject to the Privacy Act. The lack of enforcement of Privacy Act obligations means that individuals are not given the opportunity to inspect, correct or limit the dissemination of inaccurate information. Greater transparency in the watch list process would lead to greater accuracy of the lists themselves.
Department of Homeland Security Press Release about TRIP: http://www.dhs.gov/xnews/releases/pr_1169062569230.shtm
Department of Homeland Security Privacy Office, Report (Apr. 27, 2006) (pdf): http://www.dhs.gov/xlibrary/assets/privacy/privacy_rpt_nofly.pdf
Government Accountability Office, "GAO-06-1031: Terrorist Watch List Screening: Efforts to Help Reduce Adverse Effects on the Public" (Sept. 2006) (pdf): http://www.gao.gov/new.items/d061031.pdf
EPIC's Spotlight on Surveillance on TRIP: http://www.epic.org/redirect/trip12407.html
EPIC's page on Passenger Profiling: http://www.epic.org/privacy/airtravel/profiling.html
Australia's hosting of 2007 Asia-Pacific Economic Cooperation (APEC) events began with a series of Senior Officials Meetings in Canberra this month. The protection of transborder flows of personal data received considerable attention as an issue that is important for the ongoing economic health and development of the Asia-Pacific.
On January 22, the APEC Electronic Commerce Steering Group held a Data Privacy Seminar on the International Implementation of the APEC Privacy Framework. The seminar focused on the development of Cross-Border Privacy Rules that would satisfy the nine privacy principles articulated in APEC's Privacy Framework.
The Cross-Border Privacy Rules are intended to assist businesses to provide certainty to their customers on how their personal information will be protected. The Privacy Framework stresses clear accountability in the flow of information among APEC countries, and sets out recommended practices concerning the collection and use of personal information, as well as notice, security, access and correction mechanisms.
This year's Australian meetings also include the first review in a decade of whether new countries should be admitted to APEC. Although APEC has no treaty obligations required of its participants, the adequacy of countries' data protection schemes may become an important factor as APEC considers lifting the membership moratorium. In a recent visit to India, the country leading the APEC membership bid, Australia's Attorney-General "pointed to the protection provided in Australia under the Privacy Act for personal information" and stressed that the "same protection should exist for data that is sent to India as part of outsourcing deals".
India's Commerce and Industry Minister promised that if the self-regulatory regime proved inadequate, New Delhi would consider further legislation. Despite this assurance, Australia's Attorney-General reiterated his concerns at the beginning of the APEC Electronic Commerce Steering Group's Data Privacy Seminar, and stated that Australian officials would be conducting further study into the adequacy of India's and other countries' data protection legislation as compared to Australia's.
APEC 2007 news release: http://www.epic.org/redirect/apec12407.html
APEC Privacy Framework (pdf): http://www.epic.org/redirect/apf12407.html
Government of Australia Attorney-General's Office: Data Privacy at APEC 2007: http://www.epic.org/redirect/austag12407.html
Privacy and Human Rights 2005: Transborder Data Flows and Data Havens: http://www.epic.org/redirect/phr12407.html
Congress Introduces New Privacy Bills
Several new bills have been introduced this month, including the Federal Agency Data Privacy Protection Act in the House and the Federal Agency Data Mining Reporting Act of 2007 in the Senate. The House bill requires the encryption of all "sensitive data" held by the federal government, such as social security numbers and medical, financial and criminal records, and limits the types and amounts of information that may be accessed by federal government employees and contractors. The Senate bill requires the head of each federal department or agency to publish a report on any use or development of data mining activities.
H.R.516, the Federal Agency Data Privacy Protection Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00516:
S.236, the Federal Agency Data Mining Reporting Act of 2007: http://thomas.loc.gov/cgi-bin/bdquery/z?d110:S.236:
Court Finds Right of Informational Privacy
A New Jersey appeals court has held that Internet subscribers have a reasonable expectation of "informational privacy", which the court defined as "the ability to control the acquisition or release of information about oneself" or "to control the terms under which personal information is acquired, disclosed, and used". The decision was grounded on the New Jersey Constitution's implied right of privacy and on precedents the court termed "highly protective" of that right, even as to data in third parties' hands. The recognition of the right to privacy in this case will allow a challenge to a subpoena that led to an indictment for computer-related theft.
State v. Reid, A-3424-05 (pdf): http://pdfserver.amlaw.com/nj/comcast.pdf
Recent Data Breaches in Canada and the US
The Canadian Privacy Commissioner, Jennifer Stoddart, announced on January 18th that her office has launched an investigation into a recent data breach at Talvest Mutual Funds, a subsidiary of the Canadian Imperial Bank of Commerce (CIBC). The breach allegedly occurred when a CIBC hard drive disappeared while being moved from Montreal to Toronto. The investigation will assess whether the loss of the hard drive containing the financial records of 470,000 Talvest clients was in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA).
On January 17, the retailer that operates T. J. Maxx and Marshall's stores revealed that tens of millions of credit and debit cards might have been compromised by a security breach of its computer systems. According to TJX's press release, the breach involved customers' credit card, debit card, check, and merchandise return information collected at its U.S., Canadian and Puerto Rican stores, and may involve customers of its stores in the U.K. and Ireland.
Privacy Commissioner's Press Release: http://www.privcom.gc.ca/media/nr-c/2007/nr-c_070118_e.asp
TJX Customer Alert: http://www.tjx.com
EPIC's Resources on the Veterans Affairs Data Breach: http://www.epic.org/privacy/vatheft/default.html
EPIC's Testimony before the House Committee on Energy and Commerce on Data Security (2005): http://www.epic.org/privacy/choicepoint/datasec7.28.05.html
EPIC's Choicepoint Page: http://www.epic.org/privacy/choicepoint//
DOJ Weighs Widespread DNA Collection
The Department of Justice is reported to be exploring the collection of DNA from noncitizens detained by the federal government. Under a provision of the Violence Against Women Act of 2005 -- the Kyl Amendment -- federal agencies may collect DNA from non-U.S. persons who are detained by the federal government. This provision could extend beyond terrorism detainees and include noncitizens stopped, no matter how briefly, by federal officials. DNA from immigration violators would remain on file permanently. Genetic profiles from people arrested for federal crimes could be removed from the database if they are not convicted.
Violence Against Women and Department of Justice Reauthorization Act of 2005: http://www.epic.org/redirect/vawa12407.html
EPIC's Genetic Privacy Page: http://www.epic.org/privacy/genetic/
OECD Information Technology Outlook 2006
The OECD has published its Information Technology Outlook. The 2006 edition looks at the increasing importance of digital content in selected industries and how it is transforming value chains and business models. The potential of technological developments is examined: ubiquitous networks, location-based services, natural disaster warning systems, the participative web and the convergence of information technology with nanotechnology and biotechnology.
OECD Information Technology Outlook 2006 Announcement: http://www.epic.org/redirect/oecd12407.html
Cato Book Forum: "Identity Crisis: How Identification Is Overused and Misunderstood" by Jim Harper
The Cato Institute held a book forum on Thursday, January 18, at which Jim Harper, the Director of Information Policy Studies at Cato discussed his new book “Identity Crisis: How Identification Is Overused and Misunderstood”. The noontime forum featured author Jim Harper, Director of Information Policy Studies, Cato Institute; with comments by James Lewis, Director and Senior Fellow, Technology and Public Policy Program Center for Strategic and International Studies; and Jay Stanley, Public Education Director, Technology and Liberty Project American Civil Liberties Union.
In Identity Crisis, Jim Harper argues that identification does not provide the security often assumed, and the overuse of identification harms Americans' interests in a variety of ways. Harper's solution is to replace the uniform national identity system being advanced by the REAL ID Act with a diverse, competitive identification and credentialing marketplace. REAL ID calls for states to issue nationally uniform drivers' licenses and ID cards by May 2008, and has been met with opposition from state legislators and the American people, who condemn what may be an $11 billion, unfunded surveillance mandate. Legislation to repeal REAL ID has already been introduced.
Cato Institute - Jim Harper: http://www.cato.org/people/harper.html
EPIC's page on Real ID: http://www.epic.org/privacy/id_cards
"Digital Destiny: New Media and the Future of Democracy" by Jeff Chester (The New Press 2007).
It comes as no surprise that communications lobby groups have ensured that they are better funded, better organized, and better positioned to shape media policy than their civil society counterparts. What is shocking is the degree to which industry goals been achieved through this tightly knit network of actors, and the resounding silence that has resulted. Jeff Chester's book, Digital Destiny: New Media and the future of Democracy, presents a thoroughly detailed look at how the “media crisis” has been largely and deliberately ignored, or at least kept from public scrutiny. Chester traces the contacts and credentials of nearly every policy player to big industry ties, and states that the Federal Communications Commission and others have been engaged in a dishonest intellectual effort in their research of the issues and (lack of) regulation. According to Chester, the history of print, radio, and then television monopolization threatens to repeat itself in the formulation of Internet policy:
"That the self-serving interests of a few giants could end up threatening the potential of the Internet to serve democracy and fair competition illustrates the corruption and intellectual bankruptcy of US communications policymaking. Industry and its political supporters have hijacked the policy process, using the rhetoric of deregulation, to relegate the public into the passive role of consumers, reduced to whether they might have more channels to watch or pay a few cents less for them."
Chester responds with a call to arms for activists working on community broadband, equitable access, nondiscriminatory internet, noncommercial commons, electoral communications, and privacy to continue to organize in order to guarantee a brighter future for the democracy of new media.
-- Allison Knight
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Annual Privacy Coalition meeting. January 26-27, 2007. Washington DC. For more information: http://www.privacycoalition.org
Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:
National FOI Day Conference. March 16, 2007. Washington DC. For more information: http://www.firstamendmentcenter.org
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.