E P I C A l e r t
In response to a petition filed by EPIC, the Federal Communications Commission issued rules to protect the privacy of consumers' telephone records. The new safeguards prohibit unauthorized access to phone records, require passwords for customer accounts, require notice of any changes to account information, and establish opt-in consent before disclosing customer information.
FCC Chairman Martin called the unauthorized disclosure of customer information "a significant privacy invasion." In its petition, EPIC proposed five security measures that would more adequately protect access to call detail information: consumer-set passwords, security breach notification, audit trails, encryption, and limiting data retention. The FCC addressed the first two security measures in its rule, and announced a new rulemaking to consider audit trails, encryption, data retention, and safeguards for information stored in cell phones.
The rule prohibits companies from releasing call detail information over the phone except when the customer provides a password. The reason is to prevent others from pretending to be the customer and fraudulently obtaining the call record information. If a customer does not provide a password, the information can be disclosed by mail to the customer's address of record, or by the company calling the customer's phone number of record. The rule also requires that customers receive notice of any changes made to their account information. The rules also include a requirement to notify customers of unauthorized disclosures of telephone records; however, law enforcement agencies can delay notification, a provision that was criticized by Commissioner Copps and Commissioner Adelstein.
Previous regulations prohibited disclosure of call detail information to third parties offering non-communications-related services without the express, or opt-in, consent of customers. The FCC's new rule extends the requirement of opt-in consent to joint venture partners and independent contractors. The FCC stated that substantial evidence shows that "current opt-out rules do not adequately protect customer privacy," and that an opt-in regime "directly and materially advances privacy and safety interests by giving customers direct control over the distribution of their private information." The FCC also extended the rules to providers of interconnected VoIP service.
The FCC regulation addresses some of the issues that are considered in legislation pending in Congress. The Prevention of Fraudulent Access to Phone Records Act, H.R. 936 has been referred to the House Energy and Commerce Committee for consideration.
EPIC Executive Director Marc Rotenberg testified on March 9 in support of this legislation, stressing that action in this area was overdue. The Act calls for several of the same measures as the FCC regulations, such as opt-in requirements for third party disclosure, periodic audits of telecommunications carriers by the FCC, and the use of customer-specific identifiers in order to access call detail information.
In several areas, the Act provides stronger privacy protections than the regulations. The Act would require telecommunications carriers to keep a record of each time that a customer's call detail information was requested, if access was granted, and how the person's identity or authority to access the information was verified. Such records would provide customers with knowledge of how their information was improperly accessed, giving them a greater ability to prevent another breach. Furthermore, the Act requires timely notice to a customer if there is an unauthorized disclosure of his or her information. The Act also requires the FCC to consider making regulations to require deletion of call detail information after "a reasonable period of time if such data is no longer necessary for the purpose for which it was collected."
FCC Report and Order and Further Notice of Proposed Rulemaking (pdf):
Prevention of Fraudulent Access to Phone Records Act, H.R. 936:
EPIC's Petition to the FCC:
EPIC's Illegal Sale of Phone Records page:
EPIC Executive Director Marc Rotenberg appeared before the European Parliament's Committee on Civil Liberties, Justice and Home Affairs for a public seminar on transatlantic relations and data protection. The European Parliament is currently reviewing the transfer of travel, consumer, and financial information on European citizens to the United States government. European institutions are concerned about the absence of adequate privacy protection for personal information.
The seminar examined the constitutional and legal context of data processed in Europe, and in the USA, as well as the applicable principles on the international level for transfer of personal data, particularly as they pertain to passenger name records and financial data. The self-regulatory Safe Harbor model of data transfer was also discussed. Members of the European Parliament particularly wanted to know: what kinds of data are being collected; what are the reasons for the collection; problems that have arisen following collection; and what kinds of joint review and redress mechanisms exist.
Mr. Rotenberg's presentation outlined "Recent Privacy Developments in the United States." He explained that with respect to the privacy of travelers, “much of the focus continues to be on problems with the watch list systems as well as proposals to expand profiling and screening of air travelers.” The data collected is being used by US authorities for a range of purposes other than the fight against terrorism. He pointed out "a critical shortcoming of the US Privacy Act," namely that it contains "no protection at all for non-US citizens," results in a lack of redress for European travelers.
Greek Member of Parliament Stavros Lambrinidis said that he was "concerned about the amount of data transferred as well as about the unclear purposes for which it will be used." Data protection expert and Commission advisor Spiros Simitis said that the Commission had "clearly breached its obligations" by negotiating agreements that were in breach of data protection laws. The first two US-EU passenger name records agreements have been highly criticized for their lack of transparency, data protections, and redress provisions. Negotiations of a third agreement are currently underway. This month, a Parliamentary delegation will visit the US to discuss the passenger name records negotiations, as well as other data transfer issues.
European Parliament Committee on Civil Liberties, Justice and Home Affairs:
Marc Rotenberg, “Recent Privacy Developments in the United States” (pdf):
Privacy International SWIFT Campaign:
EPIC's EU-US Passenger Airline Data page:
In comments to the Federal Trade Commission, EPIC warned against using universal identifiers in authentication systems. "Any move toward universal identifiers, while potentially deterring amateur thieves, increases the potential for misuse once determined criminals steal that data," EPIC said.
EPIC also urged the restriction, rather than expansion, of the use of Social Security numbers as identifiers. "Social Security numbers have become a classic example of 'mission creep,' where a program designed for a specific, limited purpose has been transformed for additional, unintended purposes, sometimes with disastrous results," EPIC said. The pervasiveness of the SSN and its use to both identify and authenticate individuals threatens privacy and financial security; expanding use of the SSN, making it a universal identifier, would harm, rather than help, security efforts, EPIC said.
EPIC recommended against the creation of a centralized identification system and advocated an identity metasystem in which authentication is confined to specific contexts in order to limit the scope for potential misuse. EPIC and others have explained that it decreases security to have a centralized system of identification with one ID card for many purposes, as there will be a substantial amount of harm when the card is compromised. "Using a national ID card would be as if you used one key to open your house, your car, your safe deposit box, your office, and more," EPIC said. A centralized system of identification creates a "one-stop shop" for identity thieves. "The confidence and trust of consumers will fall when such a breach occurs; people will withdraw because of privacy and security questions," EPIC said.
EPIC explained that "a system of distributed identification reduces the risks associated with security breaches and the misuse of personal information." For example, a banking PIN number, in conjunction with a bank card, provides a better authentication system because it is not coupled with a single, immutable consumer identity. If the combination is compromised, a new bank card and PIN number can be issued and the old combination cancelled, limiting the damage done by the compromised data. "Distributing identity in this way allows for different profiles to be used in different authenticating contexts. New profiles can be created as required within a single identity metasystem," EPIC said. Misuse is therefore limited to the context of the information breached, whether it is a single bank account, online merchant, or medical records.
Possibilities for data misuse can also be limited at the data collection stage, EPIC explained. Amassing large databases of credit card numbers creates an attractive target for potential identity thieves. "One simple response to identity theft is to require a PIN to be used in conjunction with all credit cards. An identity metasystem would further reduce the value of such aggregated database targets, because authenticators would be separate and distinct from all personally identifiable information," EPIC said.
The FTC will hold a workshop, "Proof Positive: New Directions for ID Authentication," on April 23 at the Commission's Satellite Building Conference Center located at 601 New Jersey Avenue, NW, Washington, D.C. The event is open to the public and attendance is free. There will not be pre-registration.
EPIC Comments to the FTC (March 23, 2007) (pdf):
Federal Trade Commission Notice Announcing Workshop and Requesting Comments:
EPIC page on Identity Theft: Causes and Solutions:
EPIC page on National ID Cards and the REAL ID Act:
On March 27, 2007, FBI Director Robert Mueller testified before the Senate Judiciary Committee regarding the Bureau's National Security Letter authority. A recent report by the Department of Justice Office of the Inspector General found significant violations of law and regulations by the FBI in its use of National Security Letters. In his opening statement, Committee Chairman Patrick Leahy stated that the FBI's "pattern of abuse of authority and mismanagement causes me and many others on both sides of the aisle to wonder whether the FBI and Department of Justice have been faithful trustees of the great trust that the Congress and American people have placed in them to keep our nation safe while respecting the privacy rights and civil liberties of all Americans."
In his testimony, Mr. Mueller stressed the importance of the security letters in fighting terrorism. He further stressed that the FBI was committed to fixing the problems exposed in the report. However, many senators expressed concern over whether such problems could be fixed, again raising the question of whether the FBI should be stripped of its domestic intelligence functions in favor of creating a new agency for such duties. Senator Arlen Specter, the ranking Republican member on the committee, stated that "the question is emerging as to whether the FBI is up to the enormous task that we have asked it to perform," pointing out that "every time we turn around, there is another, very serious, failure on the part of the bureau."
Senator Specter showed particular concern for the fact that the report had uncovered that many of the National Security Letters issued under exigent circumstances were not based on a factual record to support such a letter. He stressed the vital importance of factual accuracy, stating that if incorrect facts are included, an individual is subjected to an invasion of privacy, and such letters should not be issued.
Representative Jane Harman (D-CA) reintroduced legislation on March 28, 2007, that would return the threshold the issuance of a National Security Letter back to the pre-Patriot Act standard of requiring that the FBI show a specific connection to a terrorist or foreign power. The bill, H.R.1739, also requires the approval of a Foreign Intelligence Surveillance Court judge or designated United States Magistrate Judge prior to the issuance of a National Security Letter. The bill would further increase Congressional oversight of the FBI's use of the letters.
In a March 21, 2007, letter to the Senate Judiciary Committee, EPIC recommended that Congress repeal the FBI's National Security Letter authority. In 2005, EPIC uncovered documents concerning these letters which revealed violations of law reported to the Intelligence Oversight Board. EPIC advised the committee that these documents and the recent Inspector General report show that the FBI both misused its authority to issue National Security Letters and has failed to be forthcoming with information on the use of these powers. EPIC further urged that the result of these failures should be the repeal of Section 505 of the Patriot Act.
Office of the Inspector General's Report (pdf):
EPIC's Patriot Act Page:
EPIC's National Security Letters page:
EPIC's letter to the Senate Judiciary Committee (pdf):
In a new report, "Dilemmas of Privacy and Surveillance," the Royal Academy of Engineering explains that security and privacy are not at odds. The Academy urges the UK government to make "full use of engineering expertise in managing the risks posed by surveillance and data management technologies."
The Academy also says "[o]rganisations should not seek to identify the individuals with whom they have dealings if all they require is authentication of rightful access to goods or services." The Academy suggests that travel and shopping services can be designed to allow anonymous use, thereby maintaining personal privacy. For example, subway cards should not be linked to any personally identifiable data, because all that is needed is the authentication of the riders' ability to pay.
Stricter guidelines for companies who hold personal data, requiring them to store data securely, to notify customers if their data security is breached, and to tell customers what the data are being used for, are also necessary, the Academy says. The need for stricter guidelines comes from the expansion of large databases housing sensitive data; these databases and networks can "suffer from mechanical failure or software bugs. Human error can lead to personal data being lost or stolen. If the system breaks down, as a result of accident or sabotage, millions could be inconvenienced or even have their lives put in danger."
Among the other key recommendations of the report:
- Information systems should be designed to diminish the risk of failure and individuals should be compensated when failures occur
- The powers of the [UK] Information Commissioner should be extended
- Research into the effectiveness of camera surveillance is necessary, to judge whether its potential intrusion into people's privacy is outweighed by its benefits
- Commercial organisations that select their customers or vary their offers to individuals on the basis of profiling should be required, on request, to divulge to the data subjects that profiling has been used
- Access by individuals to their personal data should also be made easier; for example, by automatically providing free copies of credit reports annually
There have been a string of high-profile data breaches in the last year. Recently, at least 45.7 million credit and debit card numbers were stolen by hackers who accessed the computer systems at the TJX Companies in the United States over a period of several years, making it the biggest breach of personal data ever reported.
As the Royal Academy notes, "loss or theft of personal data, or significant mistakes in personal data, can have catastrophic effects on an individual. They may find themselves refused credit, refused services, the subject of suspicion, or liable for debts that they did not incur."
EPIC has long advocated the use of Privacy Enhancing Technologies that minimize or eliminate the collection of personally identifiable information. Recently, in comments to the Identity Theft Task Force, EPIC explained that these technologies allow for the separation of authentication and identification, creating authentication systems that preserve anonymity.
Royal Academy of Engineering, Dilemmas of Privacy and Surveillance: Challenges of Technological Change (March 26, 2007) (pdf):
National Research Council Report, "Who Goes There?":
EPIC page on Video Surveillance (CCTV):
EPIC Comments to Identity Theft Task Force (January 2007) (pdf):
EPIC page on Identity Theft: Its Causes and Solutions:
EPIC's comments to DC Metro:
Washington State Introduces RFID Enabled Driver's Licenses for Border Crossing
Washington State and the Department of Homeland Security are jointly testing a project where the state driver's licenses and identification cards will be accepted for use under the Western Hemisphere Travel Initiative, which regulates travel between the United States, Canada, Mexico, and the Caribbean. The Washington State ID cards would include proof of citizenship and other sensitive personal data beyond what current licenses hold. The licenses will include long-range radio frequency identification (RFID) technology, which EPIC has repeatedly warned is a privacy and security risk. The Department of Homeland Security's Data Privacy and Integrity Advisory Committee also has recommended against the use of RFID in ID documents.
EPIC's RFID Page:
Spotlight on Surveillance on the Western Hemispheric Travel Initiative
Government Report: Data Mining Program Has Numerous Privacy Risks
A federal data mining program created to troll vast amounts of data in order to attempt to find suspicious people has numerous privacy risks, according to the Government Accountability Office. In a report, the GAO says the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) program's privacy risks "include the potential for erroneous association of individuals with crime or terrorism and the misidentification of individuals with similar names." The GAO recommends that the Department of Homeland Security "immediately conduct a privacy impact assessment of the ADVISE tool to identify privacy risks and implement privacy controls to mitigate those risks." Previous data mining efforts by the federal government include the 2002 Total Information Awareness system, envisioned to give law enforcement access to private data without suspicion of wrongdoing or a warrant. After a public outcry and much criticism, in September 2003, Congress eliminated funding for the controversial project and closed the Pentagon's Information Awareness Office, which had developed it.
Government Accountability Office, Data Mining: Early Attention to Privacy in Developing a Key DHS Program Could Reduce Risks (Feb. 2007) (pdf):
EPIC page on Total Information Awareness:
Ontario Information and Privacy Commission Report on Biometric Encryption
The Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, released a joint research paper with Dr. Alex Stoianov, an internationally-recognized biometrics scientist. The paper, entitled, "Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security AND Privacy," discusses how biometrics can be deployed in a privacy-enhanced way that minimizes the potential for surveillance and abuse, maximizes individual control, and ensures full functionality of the systems in which biometrics are used. The paper suggests that biometric encryption can address the privacy, security and trust problems of current biometric information systems. With biometric encryption, instead of storing a sample of one's fingerprint in a database, you can use the fingerprint to encrypt or code some other information, like a PIN or account number, or cryptographic key, and only store the biometrically encrypted code, removing the need to collect and store the biometric itself.
Information and Privacy Commission of Ontario:
EPIC's Biometric Identifiers page:
Internet Oversight Agency Creates New Group on Domain Name Privacy
The Internet Corporation for Assigned Names and Numbers (ICANN)'s WHOIS task force submitted its Final Report on WHOIS Services to Council at ICANN meetings in Lisbon last week. The report endorses the Operational Point of Contact (OPoC) proposal to limit public access to domain name registrants' personal information by allowing registrants to use alternate contact details. Because the proposal leaves many implementation details unanswered, the Council decided to establish a new working group to examine implementation issues. The group will focus on the endorsed OPoC approach, and will only return to the alternative proposal mentioned in the Final Report if it cannot sort out the implementation details.
Final Task Force Report on WHOIS Services:
EPIC's WHOIS page:
Biggest Ever Breach of Data
A data breach at the corporate parent of retailers such as TJ Maxx and Marshall's has exposed 45.7 million credit card account numbers. The previous record was the 2005 breach of 40 million numbers at Cardsystems Inc. Attackers broke into the company's computer system and downloaded the numbers over the span of several years. For 450,000 costumers that had returned items, driver's license information was also lost. The size and timing of the breach is being disclosed in filings to the Securities and Exchange Commission after several months of TJX refusals to describe the breach. A ring of credit card fraudsters using data from TJX was recently apprehended in Florida. The breach spurred Congress to call for legislation protecting personal data. Senators Leahy and Specter have previously introduced the Personal Data Privacy and Security Act, S. 495.
Personal Data Privacy and Security Act, S. 495:
EPIC's Identity Theft page:
Cybercrime: Digital Cops in a Networked Environment, by J. M. Balkin (New York University Press, 2007).
"The Internet has dramatically altered the landscape of crime and national security, creating new threats, such as identity theft, computer viruses, and cyberattacks. Moreover, because cybercrimes are often not limited to a single site or nation, crime scenes themselves have changed. Consequently, law enforcement must confront these new dangers and embrace novel methods of prevention, as well as produce new tools for digital surveillance - which can jeopardize privacy and civil liberties. Cybercrime brings together leading experts in law, criminal justice, and security studies to describe crime prevention and security protection in the electronic age. Ranging from new government requirements that facilitate spying to new methods of digital proof, the book is essential to understand how criminal law-and even crime itself-have been transformed in our networked world."
Contributors: Jack M. Balkin, Susan W. Brenner, Daniel E. Geer, Jr., James Grimmelmann, Emily Hancock, Beryl A. Howell, Curtis E.A. Karnow, Eddan Katz, Orin S. Kerr, Nimrod Kozlovski, Helen Nissenbaum, Kim A. Taipale, Lee Tien, Shlomit Wagman, and Tal Zarsky
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Roundtable on Health IT and privacy. April 13, 2007. Washington, DC. For more information email firstname.lastname@example.org
Security and Liberty Forum. University of North Carolina. April 14, 2007. Chapel Hill, NC. For more information: www.seclibforum.org
Proof Positive: New Directions for ID Authentication Public Workshop. Federal Trade Commission. April 23 and 24, 2007. Washington DC. For more information contact: email@example.com
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Music, Technology and IP Policy Day. May 2, 2007. Washington, DC. For
Conference on Interdisciplinary Studies in Information Privacy and Security. Rutgers University. May 22, 2007. New Brunswick. For more information: http://www.scils.rutgers.edu/ci/isips/
Privacy Compliance Conference. The Canadian Institute. May 30-31, 2007.
Toronto, Canada. For more information:
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.