======================================================================= E P I C A l e r t ======================================================================= Volume 10.10 May 23, 2003 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_10.10.html ====================================================================== Table of Contents ====================================================================== [1] Pentagon Submits Report on Info Awareness Project [2] EPIC Testifies at Senate Spam Hearing [3] Justice Department Reports on PATRIOT Act Implementation [4] FTC Workshop on Technologies for Protecting Personal Information [5] EPIC Obtains ChoicePoint Documents in FOIA Suit [6] News in Brief [7] EPIC Bookstore: Invisible Punishment [8] Upcoming Conferences and Events ====================================================================== [1] Pentagon Submits Report on Info Awareness Project ====================================================================== On May 20, the Pentagon's Defense Advanced Research Projects Agency (DARPA) submitted its congressionally-mandated report on the Total Information Awareness Program (TIA), now re-named the "Terrorism" Information Awareness Program. The name change, according to DARPA, was necessary because the original name "created in some minds the impression that TIA was a system to be used for developing dossiers on U.S. citizens." Congress required DARPA to provide responses to five questions. First, a detailed accounting of the funds, proposed expenditure plans, and target dates for deployment; second, an analysis discussing the likely efficacy of the surveillance program; third, an analysis of the likely impact on privacy and civil liberties; fourth, an accounting of the current laws that would govern information being sought by TIA and any modifications to the laws that TIA might require; and finally, Congress asked for recommendations, endorsed by the Attorney General, for practices, procedures, and regulations to eliminate or minimize adverse effects on privacy and other civil liberties. DARPA's report describes the program's goals and budget information, its efforts to develop protections for the data it plans to collect, and an explanation of how it intends to comply with U.S. laws. The report reveals that DARPA is building a prototype for the Army's Intelligence and Security Command (INSCOM) for the Information Dominance Center (re-named Information Operations Center). In addition, the report discloses more information about projects such as "Scalable Social Network Analysis," "Activity Recognition and Monitoring," and "Next-Generation Face Technology" that has not been publicly reported. The Information Awareness Office, whose mission is described as developing technologies to "counter asymmetric threats by achieving total information awareness," is pursuing the development of four different categories of technologies. First the umbrella program, the Information Awareness prototype; second, tools for collaboration and decision support; third, language translation programs; and fourth, data storage, mining and information classification technologies. In response to questions about the legal restrictions surrounding the collection of data for the information awareness program, DARPA states that it will only use information that is legally obtainable by the Federal government. This includes information available to intelligence agencies. The report does not discuss the role of the judicial branch or the legislative branch in limiting or overseeing executive branch powers. The report also suggests that Pentagon officials view privacy as a question of developing appropriate classification of information and authorization for government officials. This is in contrast to genuine privacy protections, such as the Fair Information Practices embodied in the Privacy Act, which limits the collection of information and provides opportunities for access and correction of records to provide due process rights to individuals. The public report provides an opportunity for more informed public debate over the TIA program and its goals. EPIC has made available TIA contractor documents it obtained under the Freedom of Information Act to enable greater public oversight of the surveillance program. Congress will need to determine if DARPA has fully answered the questions required by law. It must also determine whether the operational deployment of information awareness technology in the Army's INSCOM is permitted under restrictions preventing the technology from being deployed against U.S. persons without explicit Congressional approval. The DARPA report on TIA is available at: http://www.epic.org/privacy/profiling/tia/may03_report.pdf EPIC's Total Information Awareness Page: http://www.epic.org/privacy/profiling/tia/ ====================================================================== [2] EPIC Testifies at Senate Spam Hearing ====================================================================== The Senate Commerce Committee explored Unsolicited Commercial Email, or "spam," at a hearing on May 21. EPIC Executive Director Marc Rotenberg testified on the need for strong, effective measures to reduce spam. Other panelists included FTC Commissioners Orson Swindle and Mozelle Thompson, AOL Vice Chairman Ted Leonsis, the CEO of Brightmail, a leading anti-spam company, a representative from the Network Advertising Initiative, and Ronnie Scelson, a spammer. EPIC's testimony argued in favor of "opt-in" mailing lists, a private right of action for consumers, and freedom for states to pursue spammers, combined with technical measures and international cooperation. Rotenberg noted that spam is increasing rapidly and threatens to choke email communications, but that it is a complex problem to solve. Legislation alone will not stop spam, but could play an important role. A multi-tiered approach that includes aggressive enforcement, better technology for identifying and filtering spam, and cooperation at the state and international level would all be necessary. The Transatlantic Consumer Dialogue (TACD) has called for international cooperation in helping consumers fight unsolicited commercial messages. He pointed out that legislative responses to the spam problem might set precedents for other emerging communications media where unsolicited commercial messages are sent to consumers. Rotenberg argued that technical solutions such as filtering tools or the blocking of incoming emails may not be sufficient. Filters or blocking tools would be either ineffective or might overblock important messages from friends or business. Solutions must also be sensitive to the constitutional implications; a requirement for instance, to identify the sender of non-commercial messages would be unconstitutional. FTC Commissioner Thompson told the committee that legislation was needed, while Commissioner Swindle argued that technological solutions would provide a better fix. They agreed to provide the committee with a set of policy recommendations within 45 days based on information from the FTC's recent Spam Forum. AOL's Leonsis argued in favor of federal legislation that would assist AOL's efforts to combat spam. The Network Advertising Initiative supported strong legislation to prohibit deception and fraud through spam, but opposed legislation requiring companies to obtain opt-in consent before sending unsolicited commercial messages. They also seek federal preemption of state laws. The most colorful witness, Scelson, who is a self identified spammer, made a commercial free speech defense of his activities. He accused AOL and other Internet Service Providers of spamming their own members and entering contracts with spammers who agreed to pay a higher price to reach the ISPs' users. EPIC's testimony is available at: http://www.epic.org/privacy/junk_mail/spam/testimony5.21.03.html Senate Commerce Committee witness list and testimony: http://commerce.senate.gov/hearings/witnesslist.cfm?id=773 ====================================================================== [3] Justice Department Reports on PATRIOT Act Implementation ====================================================================== The Justice Department has released a sixty-page report that provides fresh insights into its use of the USA PATRIOT Act surveillance powers. The report responds to a series of critical questions posed by the House Judiciary Committee that sought to understand what the department was doing to fight terrorism and protect civil liberties. The report describes the operational changes initiated by the new Attorney General Guidelines and the Foreign Intelligence Surveillance Review Court opinion that brought down the "wall" between intelligence and law enforcement. Additionally, the report provides information on data-mining activities currently underway at the department and DOJ's assistance in the development of the airline passenger profiling program. Finally, DOJ classified sections of the report addressing its foreign intelligence guidelines under Executive Order 12333 and how it conducted three successive "sweeps" of Arab American and South Asian communities since September 11. The report attempts to play down the government's use of the new powers, while at the same time showing that they have been crucial in disrupting terrorist plots. The examples used to illustrate the use of the new authorities are in many cases unrelated to terrorism, such as credit card fraud, kidnapping, drugs, and theft. The report provides some new statistics on the use of delayed notification searches and seizures under Section 213 of the PATRIOT Act. The report discloses that following the FISA Review Court's endorsement of the Attorney General's new Guidelines that weakened the "wall" between intelligence and criminal investigations, criminal prosecutors are reviewing 4,500 intelligence files for evidence or information for use in criminal cases. The department notes that criminal investigations and immigration enforcement are "key preventative tools" for counter terrorism and that information obtained through the FISA is being used for those purposes. The report also discusses FISA procedures, training programs and field guidelines. Information on the department's use of other surveillance techniques under sections 204, 206, 214, and 215 are being provided to the Committee in classified form. The report attempts to explain how the new Attorney General's Guidelines allowing FBI access to publicly available information and public spaces, including mosques, has worked in practice. It also discusses the Secure Counterterrorism Operational Prototype Environment (SCOPE) and Investigative Data Warehouse, which are the FBI's attempts to develop specialized tools to "identify and present hidden relationships" in the data. The data sources for data-mining and pattern recognition include commercial data from ChoicePoint and iMap, federal government data, and intelligence data. DOJ acknowledges that the use of data-mining must comply with the Privacy Act and asserts that it provides access to data stored by the Justice Department. The department also disclosed the Computer Assisted Passenger Pre-Screening Program, if implemented, proposes to use the Violent Gang Terrorist Organization File (VGTOF) to screen airline passengers. The Justice Department report is available at: http://www.epic.org/privacy/terrorism/usapatriot/may03_report.pdf EPIC's USA PATRIOT Act Page: http://www.epic.org/privacy/terrorism/usapatriot/ EPIC's Attorney General's Guidelines Page: http://www.epic.org/privacy/fbi/ ====================================================================== [4] FTC Workshop on Technologies for Protecting Personal Information ====================================================================== On May 14, the Federal Trade Commission (FTC) explored "Technologies for Protecting Personal Information: The Consumer Experience" as part of a public workshop on role of technology for consumer privacy protection. During the workshop, the FTC considered consumer tools for managing the collection and use of personal information. EPIC commented that the starting point for such a discussion is a clear understanding of what is meant by privacy enhancing technologies (PETs). PETs are technologies or tools that eliminate or minimize the collection of personally identifiable information. Individuals commonly use PETs in the physical world. Cash, for instance, enables us to purchase items and services without transferring any personally identifiable information. Digital cash could function in a similar way. After providing a number of examples of tools that genuinely advance privacy, EPIC noted several common characteristics to them. For example, all genuine PETs: * limit the collection of personally identifiable information; * enable commerce and communication; * do not facilitate the collection of personal information; * do not force Internet users to trade privacy for convenience; and * do not treat privacy as a business commodity. These are all desirable characteristics that genuinely advance privacy and promote transactional activity in the online environment. For more information on the workshop, see: http://www.ftc.gov/bcp/workshops/technology/index.html ====================================================================== [5] EPIC Obtains ChoicePoint Documents in FOIA Suit ====================================================================== Documents obtained under a Freedom of Information Act (FOIA) lawsuit provide more insight into how law enforcement and counterintelligence agents are using private-sector databases to obtain personal information. Much of the material concerns ChoicePoint, one of the largest data-vending firms. The documents were heavily redacted by the FBI, which excised "ChoicePoint information," even when the information appeared in news stories collected by the agency. An FBI memorandum titled "Guidance Regarding the Use of ChoicePoint for Foreign Intelligence Collection or Foreign Counterterrorism Investigations" analyzes law enforcement use of ChoicePoint in the context of federal privacy laws and the Attorney General's Guidelines. The memorandum rationalizes use of private-sector databases as the "least intrusive means" of collecting personal information and concludes that ChoicePoint can be used for foreign intelligence and counterintelligence investigations. A presentation titled "The FBI's Public-Source Information Program Fact Versus Fiction" highlights the agency's access to property records, professional licenses, news articles, driver and DMV records, census records, and credit headers. It lists ChoicePoint, Westlaw, Lexis Nexis, Dun and Bradstreet, and credit reporting agencies as sources for this information. Reliance on these databases has increased by 9600 percent since 1992, according to the presentation. However, one unnamed credit reporting agency is no longer selling credit header information to law enforcement. Unrelated documents filed in a federal lawsuit in the Northern District of Georgia indicate that ChoicePoint is constructing a "Central Biometric Authority." According to the complaint filed by International Biometric Group and ChoicePoint's answer, the central biometric authority is intended to perform "secure and standardized acquisition, matching, and indexing of biometric data." This biometrics database appears to be in development for ChoicePoint's expanding employee and volunteer background check services. FBI Guidance on Use of ChoicePoint: http://www.epic.org/privacy/publicrecords/cpfcimemo.pdf FBI Presentation on Public Source Information: http://www.epic.org/privacy/publicrecords/cpfbippt.pdf Complaint in International Biometric Group v. ChoicePoint: http://www.epic.org/privacy/publicrecords/ibmvcpcomplaint.pdf Answer in International Biometric Group v. ChoicePoint: http://www.epic.org/privacy/publicrecords/ibmvcpanswer.pdf ====================================================================== [6] News in Brief ====================================================================== Microsoft Passport Flaw Discovered A computer researcher in Pakistan found a new flaw in Microsoft Passport that could expose personal information, including credit card numbers, for 200 million Internet users. In July and August 2001, EPIC and a coalition of consumer advocacy groups filed detailed complaints with the Federal Trade Commission (FTC) concerning the privacy risks associated with the Passport identification and authentication system. The FTC found that Microsoft's representations about Passport constituted unfair and deceptive trade practices and settled the action against Microsoft. The agreement requires that Microsoft establish a comprehensive information security program for Passport, and that it must not misrepresent its practices of information collection and usage. EPIC's Passport Page: http://www.epic.org/privacy/consumer/microsoft/passport.html Senate Holds First Fair Credit Reporting Hearing The Senate Banking Committee began the first of a series of hearings to determine whether states should be able to enact laws that provide greater consumer protection than federal law. The hearing was held because one portion of the Fair Credit Reporting Act relating to preemption of state laws will expire on January 1, 2004, thus paving the way for states to experiment with different approaches to credit law. The sole witness before the committee was Howard Beales, Director of the FTC's Bureau of Consumer Protection. While the FTC has not taken a position on preemption, the agency did describe three important ways in which credit reporting has changed. First, more types of businesses are using credit reports. Second, there is a greater reliance on prescreening, unsolicited offers of credit or insurance that are targeted to certain individuals based on their credit reports. Last, many businesses are now using credit reports for risk-based pricing for products and services. FTC Testimony: http://banking.senate.gov/03_05hrg/051503/beales.pdf EPIC Preemption Watch Page: http://www.epic.org/privacy/preemption/ U.S. To Require Biometrics in Visas and Passports Pursuant to the Homeland Security Act of 2002 the Department of Homeland Security will introduce the US-VISIT (United States Visitor and Immigrant Status Indicator Technology) program by the end of 2004. The program collects, maintains and shares information, including biometric identifiers on foreign nationals. The system is designed to scan travel documents, take fingerprints and pictures of foreign nationals to check them against government databases. Other biometric identifiers, such as facial recognition and iris scan, are likely to be introduced by 2005. Citizens of nations that participate in the Visa Waiver Program will be asked either to show a national passport that contains biometric data (fingerprint) or they will be excluded from the waiver program and have to apply for visa. The database that will be created under the US-VISIT program will store all data for an unspecified length of time and will be shared across all law enforcement agencies. U.S. VISIT Program Fact Sheet: http://www.dhs.gov/dhspublic/display?content=736 ====================================================================== [7] EPIC Bookstore: Invisible Punishment ====================================================================== Invisible Punishment; The Collateral Consequences of Mass Imprisonment, The New Press, ISBN 1-56584-726-1 http://www.thenewpress.com/newbooks/invspunish.htm On any given day in America's capital over 10 percent of African-American men between the ages of eighteen and thirty-five are in prison, and over half are under some form of correctional supervision. Under current conditions, well over 75 percent of African-American men in the District of Columbia can expect to be incarcerated at some time in their lives. Nationwide a million people are convicted of felony crimes each year; 450,000 of them are sentenced to prison. Incarceration is the predominant mode of crime control in the United States, as the country follows what appears to be a social policy of mass imprisonment. "Invisible Punishment" is a fascinating new book from the Sentencing Project, a public interest organization that promotes criminal justice reform and chronicles how the unprecedented expansion of the prison system over three decades has also brought with it a complex network of "invisible punishments" affecting families and communities nationwide. Federal and state governments impose collateral punishments for crimes that include denying voting rights, welfare benefits, public housing, social security benefits, and creating registration laws. Private employers have followed suit by increasingly relying on fingerprinting and background checks for employment decisions. As one of the author's argues, "In the modern welfare state, these restrictions of the universe of social and welfare rights amount to a variant on the tradition of 'civil death' in which the offender is defined as unworthy of the benefits of society, and is excluded from the social compact." The prison policy has a disproportionate impact on minorities and raises fundamental questions of justice, fairness, and access to resources. In 1980, 40,000 people were in prison for drug possession. Today, because of the War on Drugs, there are a half million people in prison on drug charges. The result of the mass imprisonment policy is the creation of a large population of felons, concentrated in poor, minority communities, who are "marked" and "monitored" and cut off from the supports of modern society. The authors warn us that, "We are creating deeper and longer-lasting distinctions between 'us' and 'them.'" And, of course such a policy produces further inequality by reinforcing the cycle of diminished expectations for the next generation. Technologies of identification, record storage and data linkage create the conditions for invisible punishment to flourish. David Burnham's prescient book, "The Rise of the Computer State," discussed these problems in 1980. Current information technology, including new surveillance programs, coupled with the increasing reliance on private sector database operators such as ChoicePoint that are not accountable to the public, only exacerbate the problem. "Invisible Punishment" challenges us to consider how these practices of exclusion operate through technology and what we must do to fix our systems to make our society more fair and just. - Mihir Kshirsagar ================================ EPIC Publications: "The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2002: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $25. http://www.epic.org/bookstore/phr2002/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including data protection, telephone tapping, genetic databases, video surveillance, location tracking, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Workshop on Compliance with European Union Data Protection Requirements. June 2, 2003. U.S. Department of Commerce, TRUSTe and Oracle Corporation. Oracle Conference Center, 350 Oracle Parkway, Redwood Shores, CA. Technologies for Protecting Personal Information. Federal Trade Commission. Workshop 1: The Consumer Experience. May 14, 2003. Workshop 2: The Business Experience. June 4, 2003. Washington, DC. For more information: http://www.ftc.gov/techworkshop/ ITS-2003: Third International Conference on "Information Technologies and Security." June 23-27, 2003. Partenit, Crimea, Ukraine. For more information: http://www.itb.conferen.ru/eng/info_e.html Press Freedom on the Internet. The World Press Freedom Committee. June 26-28, 2003. New York, NY. Building the Information Commonwealth: Information Technologies and Prospects for Development of Civil Society Institutions in the Countries of the Commonwealth of Independent States. Interparliamentary Assembly of the Member States of the Commonwealth of Independent States (IPA). June 30-July 2, 2003. St. Petersburg, Russia. For more information: http://www.communities.org.ru/conference/ O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For more information: http://conferences.oreilly.com/oscon/ 1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunk and Science Fiction. August 11-13, 2003. Prague, Czech Republic. For more information: http://www.inter-disciplinary.net/vhccsf03cfp.htm Integrating Privacy Into Your Overall Business Strategy: Complying with Privacy Legislation for Competitive Advantage. International Quality and Productivity Centre (IQPC Canada). July 9-10, 2003. Toronto, Canada. For more information: http://www.iqpc-canada.com/NA-1987-01 Chaos Communication Camp 2003: The International Hacker Open Air Gathering. Chaos Computer Club. August 7-10, 2003. Paulshof, Altlandsberg, Germany. For more information: http://www.ccc.de/camp/ WWW2003: 5th Annual Conference on World Wide Web Applications. Department of Information Studies, Rand Afrikaans University, and the Department of Information Systems and Technology, University of Durban-Westville. September 10-12, 2003. Durban, South Africa. For more information: http://www.udw.ac.za/www2003/ Making Intelligence Accountable, Oslo, Norway September 19-20, 2003. The Geneva Centre for the Democratic Control of Armed Forces. For more information: http://www.dcaf.ch/news/Intel%20Acct_Oslo%200903/ws_mainpage.html Privacy2003. Technology Policy Group. September 30-October 2, 2003. Columbus, OH. For more information: http://www.privacy2000.org/privacy2003/ ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via e-mail: To: epic_news-request@mailman.epic.org Subject: "subscribe" or "unsubscribe" (no quotes) Automated help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Problems or questions? e-mail < info@epic.org> Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org ,http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 10.10 ---------------------- .