E P I C A l e r t
At a public hearing of the Maryland Senate's Judicial Proceedings Committee concerning a bill calling for repeal of the federal REAL ID Act, EPIC testified about the privacy and security risks of the national ID scheme. The REAL ID Act mandates federal requirements for state driver's licenses and requires state DMVs to verify identification documents, such as birth certificates.
Melissa Ngo, Director of EPIC's Identification and Surveillance Project, explained that the privacy and security risks of REAL ID remain unresolved. The federal legislation would create a national database with the personal data of 245 million license and state ID cardholders, yet there is no plan for adequate privacy and security safeguards, EPIC said. EPIC said another significant security risk, besides that of attacks by unauthorized users, is that of authorized users misusing or abusing their power. For example, in a case in Maryland just last year, three people - including a Maryland Motor Vehicle Administration official - were indicted on charges of "conspiring to sell unlawfully produced MVA-issued Maryland identification cards."
There is also the threat that REAL ID is ostensibly trying to protect against: forged identification cards. "No matter how unforgeable we make it, it will be forged. We can raise the price of forgery, but we can't make it impossible. REAL IDs will be forged," security expert Bruce Schneier has said. This means that people with evil intent will get legitimate REAL ID cards in fake names, or even in the names of real people whose identities have been stolen, he said.
EPIC also pointed to the adverse impact on victims of domestic violence. The REAL ID Act requirement that state driver's licenses and identification cards must list a person's actual address is a grave threat Maryland's address confidentiality program. Including data collection requirements without adequate privacy safeguards would put Maryland's domestic violence victims at risk.
The Maryland bill under consideration would refuse to implement the REAL ID Act, protest the actions of the Congress and the President in passing and signing the legislation, request the repeal of REAL ID, and notify the Maryland Congressional delegation, governor, president of Senate of Maryland, and speaker of the House of Delegates of the resolution. EPIC supported the bill, stating that "it is a sensible response by Maryland to an ill-conceived federal law."
Maryland S.J. 5: REAL ID Act of 2005: Protest and Repeal:
Bruce Schneier, Real-ID: Costs and Benefits:
EPIC's Testimony at Feb. 15, 2007, Hearing of the Maryland Senate Judicial Proceedings Committee (pdf):
EPIC's page on Domestic Violence:
EPIC's page on National ID Cards and the REAL ID Act:
Election reform continues to see significant contributions from the research and election integrity communities. A recently released Demos report on the accessibility of touch screen voting systems found that there are doubts that direct recording electronic or touch screen voting machines are providing access to voters with disabilities. The report found that although touch screen voting systems were once considered essential to private voting booth access for voters with disabilities, they often do not work as promised.
The Help America Vote Act mandated accessible voting systems for the disabled and for language minorities. The law explicitly directed that "at least one direct recording electronic voting system or other voting system equipped for individuals with disabilities at each polling place" be made available. Further accessibility included non-visual accessibility for the blind and visually impaired, in a manner that provides the same opportunity for access and participation (including privacy and independence).” The report findings raise questions about whether this goal of equal voting rights for the disabled and language minority voters have been satisfied.
In other voting related news, the New York Times disclosed that the Election Assistance Commission had contracted a study on the impact of voter ID requirements on voter participation. Although the Commission has not released the final report, disclosed research revealed that Hispanic voters were 10% less likely to vote under those requirements for signatures or greater identification. African Americans were 5.7% less likely to vote under these conditions.
A paper published by one of the study's chief contributors, Dr. Tim Vercellott, explores some of the issues outlined in the final report to the Commission. The paper, "Protecting the franchise, or restricting it? The effects of voter identification requirements on turnout," found that his research provided "evidence that as voter identification requirements vary, voter turnout does as well."
Demos Accessibility Report:
Help America Vote Act:
EPIC's page on Voting:
National Committee for Voting Integrity:
In comments to the Department of Homeland Security, EPIC urged the agency to fully apply Privacy Act requirements of notice, access, and correction to the new traveler redress program and its underlying system of watch lists. EPIC explained that full application of the Privacy Act requirements to government record systems is the only way to ensure that data is accurate and complete, which is especially important in the context of watch lists, where mistakes and misidentifications are costly.
The Traveler Redress Inquiry Program is described as "a central gateway to address watch list misidentification issues, situations where individuals believe they have faced screening problems at immigration points of entry, or have been unfairly or incorrectly delayed, denied boarding or identified for additional screening at our nation's transportation hubs." However, because the program provides a central system for submitting, directing and tracking, but not for resolving complaints, it fails to address the significant problems in current traveler redress procedures, EPIC said.
EPIC explained that the federal watch lists are full of errors. In December 2005, the director of TSA's redress office revealed that more than 30,000 people who are not terrorists have asked TSA to remove their names from the lists since September 11, 2001. Last month, the head of TSA said that the watch lists were being reviewed, and he expected to cut the list of names in half.
The Department of Homeland Security proposes to exempt the program from Privacy Act of 1974 requirements of access to, correction of, and accuracy of personal information. Instead of the Privacy Act obligations, the agency asks citizens to rely on its "internal quality assurance procedures" to ensure their files are accurate and complete. EPIC explained that these procedures aren't working, as evidenced by the many "false positives" and the difficulty citizens have when attempting to clear their names.
The reasons for exempting the program and the underlying watch list systems from Privacy Act requirement are specious, EPIC said. The deliberate obfuscation of information does not help the terrorists, but instead frustrates the innocent citizens who apply for redress because they are mistakenly matched to or mistakenly listed on the watch lists, EPIC said.
In the Privacy Impact Assessment for the redress program, the Department
of Homeland Security discussed the accuracy of data collected
individuals seeking redress. "Because the individual provides the
information about him or herself directly, the likelihood
[Personally Identifiable Information] is greatly reduced." EPIC agreed, and said the only way to ensure the accuracy, timeliness, relevance and completeness of the data used is to allow individuals to access, review and correct their records.
Department of Homeland Security Press Release about TRIP:
Department of Homeland Security Privacy Office Privacy Impact Assessment of TRIP (Jan. 18, 2007) (pdf):
Department of Homeland Security Privacy Office Report on Watch Lists (Apr. 27, 2006) (pdf):
EPIC's Comments to the Department of Homeland Security about TRIP (pdf):
EPIC's November 2006 Spotlight on Surveillance on TRIP:
EPIC's page on Passenger Profiling:
Several consumer protection bills have been introduced. The Protecting Children in the 21st Century Act (S.49) prohibits the purchase or sale of personal information of individuals who are known to be under the age of 16 for the purposes of marketing to that individual. H.R. 1015 requires automobile dealers to disclose to consumers the presence of event data recorders, or `black boxes', on new automobiles, and requires manufacturers to provide the consumer with the option to enable and disable such devices on future automobiles. The Protecting Consumer Phone Records Act (S.92) prohibits providers of commercial mobile services from providing wireless phone numbers to directories without notice and consent. H.R. 964 criminalizes unfair/deceptive practices involving computers, including accessing or hijacking another's computer to damage it or another.
Two bills in the House and one in the Senate aim to protect Social Security numbers. H.R. 220 would prohibit the establishment in the Federal Government of any uniform national identifying number, while H.R. 948 and S. 238 would prohibit the display, purchase or sale of Social Security numbers.
The Ensuring Implementation of the 9/11 Commission Report Act (S.328) strengthens the Privacy and Civil Liberties Oversight Board. This provision is comparable to Title VIII of H.R. 1, the bill passed by the House in early January.
The Senate is considering the genetic privacy bill (S.358) that is identical to a House bill on the same topic, and the House has introduced a security breach notification bill, H.R. 836, that is similar to a Senate bill introduced last month by Senator Leahy.
The Intelligence Authorization Act, S.372, has been reported on twice in the Senate. The bill increases intelligence information sharing between federal agencies while limiting the application of the Privacy Act to that information and exempting files of the Office of the Director of National Intelligence from the search and review requirements of the Freedom of Information Act.
With regard to travel privacy, H.R. 1061 would require Homeland Security and one State to conduct a pilot program to determine if the driver's license of such State may be enhanced so as to satisfy the requirements of the `Western Hemisphere Travel Initiative') with respect to land and sea travel, and S.330 would establish a biometric identification card program so employers can verify immigrants' status.
Protecting Children in the 21st Century Act (S.49):
To require automobile dealers to disclose to consumers the presence of event data recorders, or "black boxes", on new automobiles, and to require manufacturers to provide the consumer with the option to enable and disable such devices on future automobiles (H.R. 1015):
Protecting Consumer Phone Records Act (S. 92):
Identity Theft Prevention Act of 2007 (H.R. 220):
Social Security Number Protection Act of 2007 (H.R. 948):
Social Security Number Misuse Prevention Act (S. 238):
Ensuring Implementation of the 9/11 Commission Report Act (S. 328):
Genetic Information Nondiscrimination Act of 2007 (S. 358):
Cyber-Security Enhancement and Consumer Data Protection Act of 2007 (H.R. 836):
Intelligence Authorization Act for Fiscal Year 2007 (S.372):
To implement the Western Hemisphere Travel Initiative and other registered traveler programs of the Department of Homeland Security (H.R. 1061):
Border Security and Immigration Reform Act of 2007 (S. 330):
Several European countries are looking at different ways of implementing data retention following a recent EU directive. Internet providers, wired and wireless carriers will have to maintain location and traffic data for up to two years. Retained data will be used for investigating terrorism and organized crime, rather than a more far-reaching proposal of “preventing” crime.
Different countries have until August of 2007 to sort out how to locally implement the directive. A German proposal would prohibit pseudonymous Internet usage. A Dutch proposal would mandate retaining the exact location of a cell phone user during their call. Meanwhile the United Kingdom is proposing to follow a voluntary system where the government funds the costs of data retention by participating telecommunications carriers and ISPs.
In the United States, Rep. Lamar Smith has introduced a bill on Internet exploitation of children that includes data retention requirements for Internet Service Providers (H.R.837). Attorney General Gonzales has called on ISPs to retain data for a “reasonable time,” in order to facilitate law enforcement prosecutions, but no requirement has yet been implemented. Currently, US ISPs retain user data voluntarily and to different extents. They are only legally required to retain data when specifically ordered to by courts.
EU Directive on Data Retention (Directive 2006/24/EC) (pdf):
Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act (SAFETY) of 2007 (H.R. 837):
EPIC's Page on International Data Retention:
Privacy International's page on EU Data Retention:
Federal Judge Restricts New York Police Surveillance of Protests
A federal judge limited New York Police Department's ability to tape record lawful political protests. According to the decision, surveillance of protests is limited to when unlawful activity may occur and after an application has been made to a police intelligence commissioner. NYPD surveillance operates under a settlement agreement reached in 1985 in a case originally filed in 1971. The ruling clarified a 2003 interpretation of that agreement. The judge did not say that the NYPD violated the First Amendment, rather that it had violated that settlement agreement. Further violations of the clarified interpretation of the agreement could be met with contempt charges.
EPIC's page on Video Surveillance:
Handschu v. Special Services Division, 71 Civ. 2203 (CSH) (S.D.N.Y. 2007) (pdf):
Phoenix Airport Begins 'Backscatter X-Ray' Field Tests on Travelers
Beginning this Friday, Sky Harbor International Airport in Phoenix, Ariz., will be field testing a new "backscatter X-ray" system intended to screen passengers before boarding airplanes. This method of screening passengers would reveal not only prohibited items but also medical details such as prosthetic devices and old injuries. The $100,000 refrigerator-size machines use "backscatter" technology, which bounces low-radiation X-rays off of a passenger to produce photo-quality images of metal, plastic and organic materials underneath clothes. The machines were to debut in December, but was postponed while the Transportation Security Administration attempted to answer the privacy concerns. Now, the agency says machine operators see an image that "obscures" a person's private areas; however, the machines still capture photo-quality images so detailed as to show genitalia. The fact that the machines have the capacity to record and store these detailed, unobscured images raises questions about secondary uses of the data.
EPIC's June 2005 Spotlight on Surveillance About Backscatter X-Ray Machines:
EPIC's Backscatter X-Ray Screening Technology Page:
Symposium on Attorney General's Report on Criminal History Background Checks
SEARCH, the National Consortium for Justice and Information Statistics held a symposium on the Attorney General's Report on Criminal History Background Checks. Among the reports recommendations are that FBI criminal records be available to employers and private agencies conducting background checks and that privacy safeguards such as rights to appeal and informed consent be built into these background checks. EPIC's comments to the report preparers stressed that limits should be placed on the time that the information is available, and the individuals should have the rights to correct their records, whether in private or government hands. It is expected that Congress will hold hearings on this report in the coming months.
Report on Criminal History Background Checks (pdf):
EPIC's Comments on Criminal History Beckground Checks:
Ponemon 2007 Privacy Trust Study of the United States Government
The Ponemon Institute has released its 2007 Privacy Trust Study of the United States Government, to understand the level of confidence Americans have in government agencies that routinely collect and use the public's personal information. The overall trend suggested a decline in public trust since the think tank first studied the issue in 2004. Interestingly, survey showed diminishing public trust for the National Security Agency and particularly the Department of Veterans Affairs. The National Security Agency's domestic surveillance program, which operated without any legal authority, contributed to a significant loss of support for the agency, and the Department of Veterans of Affairs, an agency that many Americans would otherwise support, recently lost the records of almost 27 million military personnel.
Ponemon 2007 Privacy Trust Study (pdf):
UPI-Zogby Poll on Health Privacy Concern
Over 50 percent of U.S. respondents in a UPI-Zogby International poll expressed privacy concerns regarding their medical records and information. African-Americans were the most likely to express concern as 34.5 percent of those participants gave an answer of “highly concerned.” Some 30.9 percent of Hispanics in the poll also said they were "highly concerned" with the privacy of their medical records.
EPIC's page on Medical Records Privacy:
Patient Privacy Rights:
Privacy and Human Rights 2006 Call for Contributions
The Privacy and Human Rights report provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy and Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
Editors of Privacy and Human Rights are interested in expanding their list of contributors. They are specifically interested in news and information from academics, experts and government officials from around the world regarding recent laws, initiatives, threats to privacy, NGO activities and other significant developments. Contributions can be submitted, using the template below, to Allison Knight at email@example.com.
Privacy and Human Rights Contribution Template:
Privacy and Human Rights 2005:
Privacy and Human Rights online at Privacy International:
"Identity Crisis: How Identification is Overused and Misunderstood" by Jim Harper (Cato Institute 2006).
This book offers a snapshot of the identification landscape, where we have been, where we are, and where we might choose to go. Harper's book provides a great outline of the issues surrounding identification as well as a glossary of terms and definitions to get a novice up to speed. He breaks down identification categories into three areas: something you are (color of hair, height, weight), something you know (mother's maiden name, SSN, birth date), and something you have (access card, attire, or other token). Each chapter begins with an amusing or interesting piece of history or instance where identity and identification was relevant. The underlying theme of the book is the value of identity and the advantages of identification in situations where it is beneficial to the person.
Harper makes some important observations about risk assessment analysis to determine the likelihood and the consequences of system failures. Having predetermined the level of risk that a system can withstand and the probability of success helps to develop balance in identification systems that encourages secure systems that are still useful in a practical commercial sense.
Harper distinguishes between government and private sector identification systems and notes that in government bad systems tend to be rewarded, while identification systems used by commercial entities have incentives to weed out bad systems of identification. Harper concludes that promoting the ability of the marketplace to reward good systems of identification, and penalize bad systems of identification may be the best road to follow. However, the book offers only mild treatment of the willingness of the private sector to open its identity systems to government agencies upon request. The book is well written and a great read with lots of insightful and humorous observations about identification and identification systems such as how they came into being and how they are used in large and small ways in our every live. We are now in the digital information age and being aware of these important considerations about identity and identification systems is everyone's concern.
-- Lillie Coney
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Privacy Coalition Meeting. February 23, 2007. Washington DC. For more information contact Lillie Coney at: firstname.lastname@example.org
Internet Privacy Symposium: Research Findings from the OPC Contributions
Program. Privacy Commissioner of Canada and Law and Technology
University of Ottawa. February 23, 2007. Ottawa, Ontario. For more
Working Group Discussion on Federal Government Outsourcing of Intelligence Gathering and Law Enforcement Duties. EPIC and Liberty Coalition. February 28, 2007. Washington DC. For more information contact Melissa Ngo at: email@example.com
RFID and Ubiquitous Computing. Trans Atlantic Consumer Dialogue. March
12, 2007. Brussels, Belgium. For more information:
4th Annual Electronic Health Records Conference. Insight Information.
March 13, 2007. Vancouver, Canada. For more information:
Consumer Authentication: How Do You Know It Is Really Me? American Bar Association, Section of Business Law. March 16, 2007. Washington, DC.
National FOI Day Conference. March 16, 2007. Washington DC. For more information: http://www.firstamendmentcenter.org
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
The Policy Challenges of Electronic Privacy. European Parliamentary Technology Assessment organization. March 28, 2007. Brussels, Belgium. For more information contact firstname.lastname@example.org
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Privacy Compliance Conference. The Canadian Institute. May 30-31, 2007.
Toronto, Canada. For more information:
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.