======================================================================= E P I C A l e r t ======================================================================= Volume 10.15 July 22, 2003 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_10.15.html ====================================================================== Table of Contents ====================================================================== [1] Senate Requires Reporting For CAPPS II; Extends TIA Moratorium [2] EPIC Testifies on Credit Reporting Privacy, Inaccuracy [3] First HIPAA Privacy Enforcement Details Reported [4] U.S. Park Police Releases Video Surveillance Policy [5] RFID PR Revealed; Wal-Mart Cancels Major RFID Effort [6] EPIC Testifies on Use and Misuse of the Social Security Number [7] EPIC Bookstore: "Censorship Inc." [8] Upcoming Conferences and Events ====================================================================== [1] Senate Requires Reporting For CAPPS II; Extends TIA Moratorium ====================================================================== On July 10, the Senate voted to withhold funding for the Computer Assisted Passenger Prescreening System (CAPPS II) until the Transportation Security Administration (TSA) provides more information about procedural and technological safeguards in the program. The provision is included in the Senate version of the Homeland Security appropriations bill. CAPPS II would allow the government to evaluate the security threat an individual poses by analyzing personal information about that person. Information could be collected from credit reports, public records, and criminal records, among other sources. Passengers labeled a high threat would not be permitted to fly. The Senate version of the bill prohibits the TSA from using any funding from the Act "for testing (other than simulations), deployment, or implementation of [CAPPS II]." The Senate prohibition would remain in effect until the TSA reports to the Government Accounting Office and Congress on the status of the following aspects of the program: any system of due process for correcting erroneous information; the error rate of the system; evidence of "efficiency and accuracy"; an internal board to oversee development; safeguards against abuse; safeguards against hackers; policies providing effective oversight of the implementation of the program; and absence of any privacy concerns with the technology employed. The House version of the spending bill contains no specific reference to CAPPS II; a conference committee must reconcile the two versions. The Senate has also voted to suspend funding for the equally controversial Terrorism Information Awareness (TIA) program as part of the Department of Defense appropriations bill. TIA is intended to capture every person's "information signature" through the collection and compilation of records regarding their activities. With vast databases of information signatures, the government would use algorithms to track potential terrorists and criminals. While the Senate version of the spending bill would provide no funding for TIA, the House version instead would ban the use of such technology on U.S. citizens without congressional authorization. A conference committee will work out the differences between the Senate and House versions of the spending bill. The Senate version of the Homeland Security appropriations bill is available at: http://www.epic.org/redirect/senate_2555.html More information about CAPPS II is available at EPIC's Air Travel Privacy Page: http://www.epic.org/privacy/airtravel More information on Terrorism Information Awareness is available at EPIC's TIA Page: http://www.epic.org/privacy/profiling/tia ====================================================================== [2] EPIC Testifies on Credit Reporting Privacy, Inaccuracy ====================================================================== On July 9, the House Committee on Financial Services held an extensive hearing on H.R. 2622, the Fair and Accurate Credit Transactions Act (FACT Act). EPIC Deputy Counsel Chris Hoofnagle was among the witnesses who testified at the hearing. EPIC's testimony focused on preserving state legislative and enforcement authority in credit regulation. Hoofnagle argued that states have historically enacted the best privacy protection, and treating the FCRA as a federal ceiling is an aberration. As "laboratories of Democracy," states are in an advantageous position to create innovative privacy protections, and they are better situated than Congress to quickly address problems. An additional area of focus was affiliate sharing, as large banks can now exploit information inside their "corporate families." Because affiliate sharing allows financial institutions to share personal information about their customers without restrictions, it directly increases risk of identity theft and fraudulent marketing. Consumer advocate Stephen Brobeck of the Consumer Federation of America also argued that the bill does not adequately address the major problems in credit reporting, such as the mismerged file that occurs when two individuals files are combined into one report. William Springs of the National Urban League and Hillary Shelton of the NAACP also testified on behalf of consumers. Mr. Shelton argued that, under the current credit scoring system, minorities in all economic categories are disproportionately targeted with predatory and sub-prime lending. In a separate letter to the Senate Banking Committee, EPIC presented evidence that systemic inadequacies at the Credit Reporting Agencies (CRAs) contribute to inaccuracy and consumer frustration. For instance, at one CRA, representatives are required to complete 100 consumer inquiries a day, giving them just four minutes per inquiry. The letter urges Congress to give consumers free and complete access to their reports. EPIC's Testimony on H.R. 2622 is available at: http://www.epic.org/privacy/fcra/2622testimony.html EPIC's Letter on CRA Inaccuracy is available at: http://www.epic.org/privacy/fcra/crainaccuracy7.10.03.html ====================================================================== [3] First HIPAA Privacy Enforcement Details Reported ====================================================================== Three months after the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule became effective, the first updates on enforcement activities reflect the law's early implementation difficulties. On June 24, the Office for Civil Rights (OCR), which is responsible for the enforcement of the Privacy Rule within the Department of Health and Human Services, provided an update to the National Committee on Vital and Health Statistics (NCVHS), a public advisory body to the Secretary of Health and Human Services. Stephanie Kaminsky of OCR testified that the office received 637 complaints prior to the hearing date. Of those, OCR had closed 124 cases and 513 remained open. A total of 260 cases were accepted for investigation after OCR determined that the complaint dealt with an issue, time frame and entity over which OCR has proper jurisdiction. No cases have been referred to the Justice Department for criminal prosecution. Complaints to the OCR have raised such issues as the inability of individuals to access their information, inadequate safeguards for health information, deficient provision of Notice of Privacy Practices, and insufficient minimum necessary procedures to limit disclosure in provider offices and facilities. OCR has repeatedly stated that its enforcement goals are to promote voluntary compliance within the health care sector and to handle most complaints by providing technical assistance to the entity involved. Despite assurances that such assistance will be the primary means of enforcement, many health care organizations have become wary about disclosing information when civil and criminal penalties might follow. In an early July congressional briefing sponsored by the Healthcare Leadership Council, some organizations stated that they are delaying the use of e-mail and other communication technologies for transmitting information to patients. The delays are apparently caused by the need to have appropriate verification procedures and encryption in place to ensure that the information does not go astray. Privacy Rule compliance and enforcement will remain prominent issues over the next year as OCR refines the substantive portion of the Enforcement Rule. The interim procedural Rule is set to expire in September 2004. Office for Civil Rights in the Department of Health and Human Services: http://www.hhs.gov/ocr/hipaa National Committee on Vital and Health Statistics: http://ncvhs.hhs.gov For more information, see EPIC's Medical Privacy Page at: http://www.epic.org/privacy/medical ====================================================================== [4] U.S. Park Police Releases Video Surveillance Policy ====================================================================== The U.S. Park Police (USPP) recently released guidelines on the use of its video surveillance system in Washington, DC. The policy was formulated in response to critiques by Congress and the DC City Council more than a year ago that the USPP was not forthcoming about its use of video cameras, and should make public a policy on its camera surveillance of Monumental Core of the nation's capital. For more than a year, the USPP has been constantly monitoring federal public spaces with undisclosed cameras without notifying the public, with few privacy safeguards in place and with little public oversight. Last year the Metropolitan Police Department of the District of Columbia (MPDC) was also urged by Congress, the DC City Council and civil liberties groups to establish a video surveillance policy that would address privacy and freedom of speech concerns after the MPDC installed cameras without notifying the public or obtaining budget approval. Although the USPP's current guidelines constitute a good starting point, they are generally more invasive than the MPDC's guidelines, providing for 24-hour, seven-day-a-week surveillance, and retention of records for six months. The USPP guidelines are less detailed than those implemented by the MPDC and do not provide for any effective oversight and accountability mechanisms. The USPP guidelines also do not exclude later use of face recognition technologies. Furthermore, the USPP guidelines are based on the assumption that video surveillance is effective to detect and prevent terrorist attacks, as well as deter criminal activity -- a claim which has never been proved to be true. In fact, a reference meta-study conducted on the effectiveness of law enforcement use of video surveillance in the United Kingdom and the United States clearly shows no strong evidence that cameras in center city and residential areas deter criminals or offer any value as a crime-fighting tool. Further, the United Kingdom, which originally justified the installation of video cameras in response to a terrorism threat, has never caught a single terrorist, even after installing more than 1,500,000 cameras throughout the country during the last ten years. A recent report from the General Accounting Office questions the secret surveillance by the Park Police and points to the USPP's lack of public transparency and openness. The USPP's guidelines are subject to public comments. USPP's CCTV Policy (June 2003) is available at: http://www.epic.org/redirect/uspp_surveillance_policy.html EPIC's Video Surveillance Page is available at: http://www.epic.org/privacy/surveillance/ The UK government study on law enforcement use of video surveillance is available at: http://www.homeoffice.gov.uk/rds/pdfs2/hors252.pdf The General Accounting Office's recent report on video surveillance is available at: http://www.gao.gov/new.items/d03748.pdf ====================================================================== [5] RFID PR Revealed; Wal-Mart Cancels Major RFID Effort ====================================================================== Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) recently located internal public relations documents detailing how Radio Frequency Identification (RFID) developers plan to offset public opposition to the widespread implantation of the tracking devices in consumer products. The documents, prepared by Fleishman-Hillard, a public relations consultancy, detail how such a campaign may unfold. First, the documents outline the obstacles that hinder widespread implementation of RFID technology, including the desire of consumers to protect their privacy and cynicism about public and private sector concern for consumer privacy. The documents cite the need for the development of a proactive plan that would "neutralize opposition" and "mitigate possible public backlash." One proposed method of doing so is through the creation of a Privacy Advisory Council made up of "well known, credible, and credentialed experts" who may be "potentially adversarial advocates." The documents cite EPIC as an example of a potential council member. In related news, retail giant Wal-Mart announced on July 9 that it is shelving plans to tag consumer products with RFID chips, after it had urged 100 of its top suppliers to begin tagging products by 2005. Wal-Mart had joined forces with Gillette to develop a "smart-shelf" system, where shelves outfitted with RFID readers would track Gillette products. The RFID sensors would alert a store manager when inventory ran low or a high-theft item was removed from the shelf. A Wal-Mart spokesperson said the smart-shelf system, expected to launch at a store in Brockton, MA, was never fully installed, and materials from the project have been removed. Although Wal-Mart says the move simply reflects a corporate decision to implement RFID technology in warehouses and distribution centers instead of retail stores, concerns about the misuse of data gleaned from the tracking devices have prompted a public outcry against the technology. Wal-Mart is not the only corporation to forego implanting consumer products with RFID tags in the wake of public pressure. Italian clothier Benetton halted plans to tag its apparel after privacy advocates called for a worldwide boycott of the company's products. RFID systems enable data to be transmitted by a portable device, called a tag, which is read by an RFID reader and processed according to the needs of a particular application. The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, date of purchase, etc. Chips integrated into commonplace products such as floor tiles, shelf paper, cabinets, appliance, exercise equipment, and grocery and packaged products would allow even our most intimate activities to be monitored. Many technology experts already predict the development of a seamless network of millions of RFID receivers strategically placed around the globe in airports, seaports, highways, distribution centers, warehouses, retail stores, and consumers' homes, all of which are constantly reading, processing, and evaluating consumers' behaviors and purchases. Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN): http://www.nocards.org RFID Developers Internal Public Relations Documents are available at: http://cryptome.org/rfid-docs.htm EPIC's RFID Page is available at: http://www.epic.org/privacy/rfid ====================================================================== [6] EPIC Testifies on Use and Misuse of the Social Security Number ====================================================================== On July 10, the House Subcommittee on Social Security of the Committee on Ways and Means held a hearing on the need to prevent Social Security Number (SSN) misuse. Led by Chairman E. Clay Shaw, Jr. (R-FL), the hearing focused on the widespread use and misuse of SSNs in the public and private sectors. Chairman Shaw announced that the committee would be introducing new legislation shortly addressing a variety of SSN issues. The hearing also examined legislative proposals aimed at combating SSN misuse and protecting privacy, as well as the potential ramifications of these proposals on businesses, consumers, and the government. In his testimony, EPIC Deputy Counsel Chris Jay Hoofnagle reviewed historical and recent attempts to regulate the use of the SSN. Stating that there is ample legislative and judicial support for imposing limitations on the collection and use of the SSN, Hoofnagle asserted that consumers are often forced to reveal their SSNs to obtain goods and services, a practice called "coercive disclosure." Hoofnagle then described trends involving the SSN, including the statistical rise in identity theft complaints, the increasing occurrence of large-scale identity thefts, and the frequent use of the SSN in the private sector. He argued that the SSN use regulation is the key to preventing identify theft. Hoofnagle recommended that the Committee consider the Social Security Number Privacy and Identity Theft Protection Act of 2001, 107 H.R. 2036, a guide to limiting the use of the SSN. Other panelists included Barbara Bovbjerg, the Associate Director of the General Accounting Office; James G. Huse, Jr., the Inspector General of the Social Security Administration; Theodore Wern of the Identity Theft Resource Center, and Steve Edwards of the Georgia Bureau of Investigations. Bovbjerg testified on the public and private sector use of the SSN, and explained how easy it is to obtain false identification through the SSN by citing a study in which the GAO acquired a false state driver's license and a false social security card. Bovbjerg also emphasized the fact that replacement SSN cards are easily obtained and can be sold. Congressman Becerra discussed the possibility of third-party verification of personally identifying documents such as the social security card and the driver's license to protect against fraudulent documents. Inspector General Huse encouraged limiting the availability of the SSN on public documents, and stressed that the use of the SSN as a personal identifier for the private sector is unnecessary (an idea that proved to be a recurring theme throughout the hearing). Wern testified on various forms of identity theft he has seen through his resource center, focusing on the theft of children's identities and those of military personnel. Wern argued that the SSN is the "golden piece of information" for identity thieves, and with a name and birth date, one can easily destroy an individual's credit. EPIC's Testimony on SSN Misuse is available at: http://www.epic.org/privacy/ssn/testimony7.10.03.html July 10 Ways and Means Hearing on Use and Misuse of SSN: http://www.epic.org/redirect/ssn_misuse_hearing.html ====================================================================== [7] EPIC Bookstore: "Censorship Inc." ====================================================================== Lawrence Soley, Censorship Inc., The Corporate Threat to Free Speech in the United States (Monthly Review Press 2002). http://www.powells.com/cgi-bin/biblio?inkey=62-1583670661-0 In his review of First Amendment cases, Lawrence Soley argues that the Supreme Court has created a broad bundle of free speech rights against government suppression of expression. Now lawmakers and the courts should turn to the private sector to grant limited First Amendment protections against business censorship. He catalogs the broad array of censorial powers possessed by private entities -- including product defamation lawsuits, massive retailers that ban books and music from stores, and the lack of expressive rights at properties open to and subsidized by the public. "Because such tactics are widely used to restrict speech," Soley argues, "businesses now pose a greater threat to free speech than government." We live in a world with increasingly powerful private entities, ones that operate our meeting places and communities. For instance, today's equivalent of the Forum is the modern shopping mall. But most mall operators do not allow free speech, and courts in most states don't require it. Further, mall owners can surround their buildings with massive parking lots, insulating the shopper from the possibility of being exposed to the inconvenient ideas presented by protestors. We should consider whether we have lost something as a society when our principal meeting places are insulated from all messages except the commercial. Soley gives special attention to the censorial efforts of the advertising industry. He introduces the topic with a quote from legendary journalist and editor George Seldes. I've never heard a media lawyer ever utter his name, but he should be on our minds because he accepted no advertising and, as a result, was free to fully cover the misdeeds of big business and tobacco long before ad-dependent mass media could. Soley shows that large advertisers effectively place prior restraints on content by pulling accounts where publications even mentioned cancer, spoke of the availability of non-smoking flights, or covered homosexual lifestyles. Revlon even pulled advertising in an issue of one magazine because the cover bore the faces of women sans makeup. Addressing these issues is difficult because the modern newspaper now contains more advertising than news, and derives its profits from advertising rather than subscriptions. Nevertheless, we could have a freer future with limited First Amendment protections against private actors. Soley's book pushes us in that direction, towards greater employee rights, free expression for artists and musicians, and for political organizing. --Chris Jay Hoofnagle ================================ EPIC Publications: "The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2002: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $25. http://www.epic.org/bookstore/phr2002/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including data protection, telephone tapping, genetic databases, video surveillance, location tracking, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== 1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunk and Science Fiction. August 11-13, 2003. Prague, Czech Republic. For more information: http://www.inter-disciplinary.net/vhccsf03cfp.htm Chaos Communication Camp 2003: The International Hacker Open Air Gathering. Chaos Computer Club. August 7-10, 2003. Paulshof, Altlandsberg, Germany. For more information: http://www.ccc.de/camp/ WWW2003: 5th Annual Conference on World Wide Web Applications. Department of Information Studies, Rand Afrikaans University, and the Department of Information Systems and Technology, University of Durban-Westville. September 10-12, 2003. Durban, South Africa. For more information: http://www.udw.ac.za/www2003/ Making Intelligence Accountable, Oslo, Norway September 19-20, 2003. The Geneva Centre for the Democratic Control of Armed Forces. For more information: http://www.dcaf.ch/news/Intel%20Acct_Oslo%200903/ws_mainpage.html Privacy2003. Technology Policy Group. September 30-October 2, 2003. Columbus, OH. For more information: http://www.privacy2000.org/2003/index.html ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via e-mail: To: epic_news-request@mailman.epic.org Subject: "subscribe" or "unsubscribe" (no quotes) Automated help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Problems or questions? e-mail < info@epic.org > Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 10.15 ---------------------- .