======================================================================= E P I C A l e r t ======================================================================= Volume 10.04 February 24, 2003 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_10.04.html ======================================================================= Table of Contents ======================================================================= [1] Data Sellers May Be Liable for Sale of Personal Information [2] EPIC Files Comments at FTC Workshop on Cross-Border Fraud [3] Senator Proposes Domestic Spy Agency; Bush Launches Threat Center [4] Congress Passes "Do-Not-Call" Legislation [5] EPIC Comments on Proposed Airline Passenger Database [6] Privacy International Seeks "Stupid Security" Contest Submissions [7] EPIC Bookstore: Hong Kong Data Privacy Law [8] Upcoming Conferences and Events ======================================================================= [1] Data Sellers May Be Liable for Sale of Personal Information ======================================================================= The New Hampshire Supreme Court issued an important decision on February 18 in Remsburg v. Docusearch, a civil lawsuit brought against information brokers and private investigators for selling personal data about Amy Boyer to a stalker who murdered her after using that information to locate her. Boyer's killer obtained information about her through Docusearch, a data brokerage firm run by private investigators, who used pretexting to obtain Boyer's employment address and other information. EPIC filed an amicus brief in the case, arguing that that private investigators and information brokers should be liable for wrongful privacy invasions of third parties about whom they are collecting and disseminating information. The court held that private investigators and information brokers have a duty to exercise reasonable care when the sale of personal information creates a risk to the individual being investigated. The court found that stalking and identity theft are two foreseeable harms that give rise to the duty to exercise care. In a significant expansion of privacy protection, the court held that the investigators could be liable for damages resulting from the sale of information obtained through pretexting. This holding exceeds federal protections against pretexting phone calls, which were enacted with the passage of the Gramm-Leach-Bliley Act. Finally, the court held that individuals may have a tort cause of action against investigators who purchase their Social Security Numbers (SSNs) from credit reporting agencies without permission. The court noted, "While a SSN must be disclosed in certain circumstances, a person may reasonably expect that the number will remain private." Now that the New Hampshire Supreme Court has ruled, the case will be remanded to a federal district court where a trial will proceed to determine whether Docusearch and the other defendants were actually liable for Amy Boyer's death. New Hampshire Supreme Court Decision in Remsburg v. Docusearch: http://www.courts.state.nh.us/supreme/opinions/2003/remsb017.htm EPIC's Amicus Brief: http://www.epic.org/privacy/boyer/brief.html EPIC's Amy Boyer Case Page: http://www.epic.org/privacy/boyer/ Amy Boyer Memorial and Informational Web Site: http://www.amyboyer.org/ ======================================================================= [2] EPIC Files Comments at FTC Workshop on Cross-Border Fraud ======================================================================= On February 20, the Federal Trade Commission (FTC) explored "Potential Partnerships Among Consumer Protection Enforcement Agencies and Internet Service Providers and Web Hosting Companies" and "Cooperation Between Consumer Protection Enforcement Agencies and Domain Registration Authorities" as two panels of a public workshop on partnerships against cross-border fraud. EPIC submitted statements for inclusion in both of these panels. In the "Potential Partnerships" panel, the discussion first focused on trying to assess how Internet Service Providers (ISPs) and Web hosting companies could more efficiently share their subscribers' personal information with the FTC and foreign law enforcement authorities in the context of cross-border fraud. EPIC's statement asserted that the FTC's foremost role is to protect consumers' privacy, and that the debate should be refocused to concentrate less on how privacy rules may represent a hurdle for law enforcement and more on how the FTC could articulate its law enforcement activities with the task of protecting the privacy of defrauded consumers. To develop cooperation and information-sharing partnerships between the public and private sectors in the context of consumer fraud investigations, EPIC recommended to the FTC that the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines be used as a trans-national legal framework to protect the privacy of consumers in the context of the international transfer of personal information. Because such guidelines have served as a model for several national data protection laws, they should foster consumer confidence by providing strong principles for the protection of consumer privacy. EPIC's statement also addressed many of the privacy implications of cross-border transfers of personal information in consumer fraud investigations. During the panel on "Cooperation Between Consumer Protection Enforcement Agencies and Domain Registration Authorities", the FTC considered the expanded use of information about Internet domain name registrants for law enforcement purposes. In particular, the Commission explored how domain registrars and registries could improve the accuracy of WHOIS data in the generic top-level domains. WHOIS data consists of domain name registrants' contact information, administrative contact information, and technical contact information -- all of which include mailing address, email address, telephone number, and fax number -- as well as domain name, domain servers, and other information. This data is globally, publicly accessible. EPIC recommended that the FTC address the privacy, free speech, and consumer fraud implications of requiring domain name registrants to provide accurate personal information. EPIC also emphasized that the FTC plays a critical role both in investigating consumer fraud and protecting consumers from fraud. Specifically, the FTC advises consumers not to disclose personal information, and if consumers choose to disclose personal information, they should know who is collecting the information, why the information is being collected, and how it is going to be used. EPIC argued that the same criteria should be applied to WHOIS data. EPIC's statement on "Potential Partnerships Among Consumer Protection Enforcement Agencies and Internet Service Providers and Web Hosting Companies": http://www.epic.org/privacy/internet/ftc/epic_submission_022003.pdf EPIC's statement on "Cooperation Between Consumer Protection Enforcement Agencies and Domain Registration Authorities": http://www.epic.org/privacy/whois/ftc_submission_021903.pdf FTC public workshop on "Public/Private Partnerships to Combat Cross- Border Fraud": http://www.ftc.gov/bcp/workshops/crossborder/ ======================================================================= [3] Senator Proposes Domestic Spy Agency; Bush Launches Threat Center ======================================================================= On February 13, Senator John Edwards (D-NC) introduced a bill, S. 410, that would authorize the creation of a "Homeland Intelligence Agency." The bill, titled the "Foreign Intelligence Collection Improvement Act of 2003," would create a domestic intelligence agency modeled after Britain's MI5 Security Service, but would incorporate what are characterized as innovative civil liberties safeguards. Sen. Edwards argues that the law enforcement and intelligence gathering functions of the Federal Bureau of Investigation (FBI) are fundamentally inconsistent, and that the country needs an agency focused solely on domestic intelligence. The proposed agency would take over the intelligence functions of the FBI and would also obtain control over the domestic intelligence functions of the Central Intelligence Agency (CIA), National Security Agency (NSA), and other intelligence agencies. To balance the unprecedented centralization of domestic surveillance power, S. 410 proposes a system of rigorous internal auditing, enhanced public reporting and congressional oversight. The Homeland Intelligence Agency would have an Office of Privacy and Civil Liberties Protection, along with an independent Citizens Advisory Board, to monitor the operations of the agency. The bill proposes that the Privacy Act's Fair Information Practices would apply to the collection of intelligence information and that the agency would conduct privacy impact assessments for its surveillance proposals. It also promises strong guidelines on data mining activities. The Foreign Intelligence Collection Improvement Act is predicated on two assumptions: that a law enforcement agency cannot and should not have intelligence capabilities, and that there is a need for greater domestic intelligence gathering power. It is not clear, however, that either of these assumptions holds true. While Congress is unlikely to act upon the bill in the near term, it provides a concrete alternative solution to the debate about how to conduct lawful domestic intelligence gathering. Such proposals need to be analyzed carefully on their merits for potential ideas and problems. Responding to criticisms about inadequate cooperation between the various intelligence agencies, the White House announced the creation of the Terrorist Threat Information Center (TTIC) on January 28. According to the press release, the TTIC will be implemented in three phases. In its initial stage, TTIC will primarily focus on the production of integrated terrorist threat analysis for senior policymakers. In the second phase of implementation, TTIC will be the principal gateway for policymaker requests for analysis of potential terrorist threats to U.S. interests, and will maintain a database of known and suspected terrorists. In its final stage, TTIC will serve as the hub for all terrorist threat-related analytic work. TTIC will be located in a facility separate from CIA and FBI Headquarters, but will be under the Director of Central Intelligence. The FBI, meanwhile, is establishing an intelligence program to ensure that the collection and dissemination of intelligence is given the same institutional priority as the collection of evidence for prosecution. A new Executive Assistant Director for Intelligence will be given direct authority and responsibility for the FBI's national intelligence program. S. 410, Foreign Intelligence Collection Improvement Act of 2003: http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.00410: Fact Sheet, Strengthening Intelligence to Better Protect America: http://www.whitehouse.gov/news/releases/2003/01/20030128-12.html ======================================================================= [4] Congress Passes "Do-Not-Call" Legislation ======================================================================= Congress has passed legislation to implement the Federal Trade Commission's Do-Not-Call (DNC) list. The legislation, H.R. 395, the Do-Not-Call Implementation Act, passed by unanimous consent in the Senate, and by a 418-7 vote in the House. The measure was sponsored by House Energy and Commerce Committee Chairman Billy Tauzin (R-LA). The FTC will now move forward with implementation of its DNC list. It is expected to be operational by Fall 2003. However, to prevent its operation, the telemarketing industry has filed suit challenging the list. That case, US Security v. FTC, was filed on January 29, 2003, in federal court in Oklahoma. The legislation now goes to the White House, where it is predicted that President Bush will sign the bill. H.R. 395 is available at: http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.00395: EPIC's Telemarketing Page: http://www.epic.org/privacy/telemarketing/ ======================================================================= [5] EPIC Comments on Proposed Airline Passenger Database ======================================================================= EPIC has submitted comments on a Transportation Security Administration (TSA) proposal to create a new database of Aviation Security Screening Records on all airline passengers. This proposed database was disclosed for the first time in a Privacy Act notice published in the Federal Register on January 15, 2003. EPIC argued that the notice did not provide sufficient information for the public to contribute meaningfully to this rule-making procedure. In fact, the TSA has resisted requests EPIC brought under the Freedom of Information Act (FOIA) to provide public access to relevant information in the agency's possession about the TSA proposal. According to the Federal Register notice, the TSA proposes to collect passenger manifest information on all airline travelers and store it in a large centralized database. The manifest information includes "Passenger Name Records (PNR) and associated data." This includes date and time of flights, flight number, destination, reservation information, and payment information. According to the notice, the TSA would store the records until the "completion of the individual's air travel to which the record relates." The TSA also proposes to collect and store data on "individuals who are deemed to pose a possible risk to transportation or national security." If a person is determined to be a "risk" under this opaque (and possibly arbitrary and/or discriminatory) procedure, the data will be stored for 50 years. The TSA, to date, has provided absolutely no information about how a passenger is determined to be a "possible risk to transportation or national security." They also give no information about how such a person might become aware of his or her categorization, and how that categorization might be legally challenged. Indeed, one could argue that simply purchasing a ticket makes an individual a "possible" risk to transportation. The TSA proposes that if a person is determined to be a risk, the database will also be populated by detailed data about that person, including "risk assessment reports; financial and transactional data; public source information; proprietary data; and information from law enforcement and intelligence sources." EPIC has requested that the TSA answer the following questions to enable better informed public comments on the merits of their proposal: (a) What is the aim of the Passenger Database? Is it the foundation of CAPPS-II (the TSA's data mining initiative similar Total Information Awareness) or is it an integrated watch list? (b) What procedure will determine if a person is a "risk"? (c) How does a person become aware of being tagged as a "risk"? (d) How can that determination be legally challenged? and (e) what specifically are the policy and security safeguards to protect the Passenger Database? The comments also discussed the privacy and security risks of the CAPPS-II initiative and the need for greater transparency for the other projects that are currently being pursued by the TSA. EPIC's Comments: http://www.epic.org/privacy/airtravel/tsacomments2.24.2003.html DOT Electronic Docket: http://www.epic.org/redirect/dot_docket.html ======================================================================= [6] Privacy International Seeks "Stupid Security" Contest Submissions ======================================================================= Privacy International, a privacy watchdog group based in London, is on a quest to find the world's most "stupid" security measure. In order for a particular security measure to be considered "stupid," it should be one or more of the following: pointless, intrusive, annoying, or self-serving. The "Stupid Security" award aims to highlight the absurdities of the security industry. Privacy International director Simon Davies said the group had launched the contest as a result of numerous security initiatives around the world that had absolutely no genuine security benefit. The competition is open to everyone, and will be judged by a panel of well-known security experts, public policy specialists, privacy advocates, and journalists. Nominations will be accepted until March 15, 2003. Winners will be announced at the 13th Annual Computers, Freedom & Privacy conference in New York on April 3, 2003. For more information, see: http://www.privacyinternational.org/activities/stupidsecurity/ Nominations can be sent to: <stupidsecurity@privacy.org> ======================================================================= [7] EPIC Bookstore: Hong Kong Data Privacy Law ======================================================================= Mark Berthold and Raymond Wacks, "Hong Kong Data Privacy Law: Territorial Regulation in a Borderless World" (Thomson, Sweet & Maxwell Asia 2002) http://www.smlawpub.com.hk/products/prod_spec.asp?ProdId=406 It may surprise some in the West to learn that Hong Kong has one of the most advanced privacy laws in the world. But to those in the data protection field, the Hong Kong Data Privacy Law is a well known model for the protection of information privacy in the modern era. The Ordinance, as it is called, is derived from both the European Union Data Directive and international norms for privacy protection, including Article 12 of the Universal Declaration of Human Rights and Article 19 of the International Covenant on Civil and Political Rights. This is also a privacy law with teeth. As Raymond Tang (the current Privacy Commissioner for Personal Data) notes, the Ordinance has been the subject of over 98,000 inquiries, 3,400 investigations, and 55 appeals before the statutory Administrative Appeals Board. This is a privacy law that requires careful study, and this new text from Thomson delivers. Mark Berthold and Raymond Wacks have set out an extraordinarily useful overview of privacy law in Hong Kong and also the larger issues of privacy protection in the online world. The book details the operation of the Hong Kong Data Privacy Ordinance. It provides useful interpretation of key provisions, as well as reports and analysis of various cases decided under the law. Researchers, practitioners, and consumer advocates will find the text invaluable. Berthold and Wacks have also made a significant contribution to the larger study of privacy protection in a borderless world. The text explores the impact of the Internet as well as the various technologies that both enhance and undermine privacy. In the final chapter the authors consider a range of important matters for policy makers around the world -- drafting privacy law, developing codes of practice, understanding the role of the privacy commissioner -- drawing often on the experience of Hong Kong and its own law. Their conclusion has universal application: "A well drafted, properly enforced and socially accepted data privacy regime provides a construct and valuable means by which to check the relentless, but far from inevitable, assault on our personal data and privacy." - Marc Rotenberg Office of the Privacy Commissioner for Personal Data, Hong Kong: http://www.pco.org.hk/ EPIC / Privacy International, "Privacy and Human Rights: An International Survey of Privacy Law and Developments" 196-205 (EPIC 2002) (Discussion of Hong Kong) http://www.epic.org/bookstore/phr2002/ ================================ EPIC Publications: "The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2002: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $25. http://www.epic.org/bookstore/phr2002/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including data protection, telephone tapping, genetic databases, video surveillance, location tracking, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= ** Uniting Privacy and the First Amendment in the 21st Century ** May 9-10, 2003 Oakland, CA EPIC, the First Amendment Project, and the California Office of Privacy Protection are sponsoring this activist symposium designed to explore the interplay between privacy and First Amendment rights, with the goal of developing strategies for optimizing both. If you are interested in making a presentation or leading a Working Group, please submit a letter outlining your proposed presentation and including a brief explanation of the issue to be addressed, a list of possible presenters, and the desired outcome of the session to: <dgreene@thefirstamendment.org> For more information: http://www.epic.org/events/unitingsymposium/ ======================================================================= Third Annual Privacy & Data Security Summit: Implementing & Managing Privacy in a Complex Environment. International Association of Privacy Professionals. February 26-28, 2003. Washington, DC. For more information: http://www.privacyassociation.org/html/conferences.html Quality Labels for Web Sites: Alternative Approaches to Content Rating. Programme in Comparative Media Law and Policy (PCMLP), Oxford University. February 27, 2003. Kirchberg, Luxembourg. For more information: http://saferinternet.org/news/Quality-label-workshop.asp The Law and Technology of DRM: What will DRM technologies mean for the future of information? University of California, Berkeley, School of Information Management and Systems and Boalt Hall School of Law. February 27 - March 1, 2003. Berkeley, CA. For more information: http://www.law.berkeley.edu/institutes/bclt/drm/ Legal and Pedagogical Aspects of a Safer Internet. Safer Internet For Knowing and Living (SIFKaL). February 28, 2003. Kirchberg, Luxembourg. For more information: http://rechtsinformatik.jura.uni-sb.de/sifkal/ Spectrum Policy: Property or Commons? Stanford Law School Center for Internet and Society. March 1, 2003. For more information: http://cyberlaw.stanford.edu/spectrum/ Improving Identification: Enhancing Security, Guarding Privacy. The Communitarian Network. March 6, 2003. Washington, DC. For more information: <mdunkelman@communitariannetwork.org> Identity Theft: Current Enforcement and Prevention Efforts. New York City Bar Association, Committee on Consumer Affairs. March 12, 2003. New York, NY. For more information: <jgreenbaum@fkkslaw.com> P&AB's Privacy Practitioners' Workshop and Ninth Annual National Conference. Privacy & American Business. March 12-14, 2003. Washington, DC. For more information: http://www.pandab.org/postcard.pdf Big Brother Technologies. A Choices and Challenges Forum. Center for Interdisciplinary Studies, Virginia Polytechnic Institute and State University. March 27, 2003. Blacksburg, VA. For more information: http://www.cddc.vt.edu/choices/2003/ CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy. Association for Computing Machinery (ACM). April 1-4, 2003. New York, NY. For more information: http://www.cfp2003.org/ 28th Annual AAAS Colloquium on Science and Technology Policy. American Association for the Advancement of Science. April 10-11, 2003. Washington, DC. For more information: http://www.aaas.org/spp/rd/colloqu.htm Integrating Government With New Technologies '03: E-Government, Change and Information Democracy. Riley Information Services. April 11, 2003. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ RSA Conference 2003. RSA Security. April 13-17, 2003. San Francisco, CA. For more information: http://www.rsaconference.com/ Building the Information Commonwealth: Information Technologies and Prospects for Development of Civil Society Institutions in the Countries of the Commonwealth of Independent States. Interparliamentary Assembly of the Member States of the Commonwealth of Independent States (IPA). April 22-24, 2003. St. Petersburg, Russia. For more information: http://www.communities.org.ru/conference/ O'Reilly Emerging Technology Conference. April 22-25, 2003. Santa Clara, CA. For more information: http://conferences.oreilly.com/etcon/ Mid Canada Information Security Conference. Information Protection Association of Manitoba. April 30, 2003. Winnipeg, Manitoba, Canada. For more information: http://www.ipam.mb.ca/mcisc/ Technologies for Protecting Personal Information. Federal Trade Commission. Workshop 1: The Consumer Experience. May 14, 2003. Workshop 2: The Business Experience. June 4, 2003. Washington, DC. For more information: http://www.ftc.gov/techworkshop/ O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For more information: http://conferences.oreilly.com/oscon/ Privacy2003. Technology Policy Group. September 30 - October 2, 2003. Columbus, OH. For more information: http://www.privacy2000.org/privacy2003/ ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via e-mail: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ** Receive a free Observing Surveillance conference poster with donation of $75 or more! ** Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 10.04 ---------------------- .