======================================================================= E P I C A l e r t ======================================================================= Volume 10.17 August 21, 2003 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_10.17.html ====================================================================== Table of Contents ====================================================================== [1] Poindexter Resigns, But Legacy of TIA Remains [2] Tampa Police Drop Failing Face Recognition System [3] CA Passes Strongest Financial Privacy Standard in the Nation [4] EPIC Releases Fact Sheet on Homeless Tracking Systems [5] Maryland Governor Orders Audit of Electronic Voting Machines [6] News in Brief [7] EPIC Bookstore: Protecting Your Money, Privacy and Identity [8] Upcoming Conferences and Events ====================================================================== [1] Poindexter Resigns, But Legacy of TIA Remains ====================================================================== Retired Admiral John M. Poindexter has resigned from his position as head of the Defense Advanced Research Projects Agency's Information Awareness Office. In a strongly-worded and unapologetic resignation letter, Poindexter defended his office's controversial projects, including its plans for an online futures market for predicting terrorist attacks and its Total Information Awareness (TIA) system. He dismissed mounting criticism from both government officials and citizens as the result of misunderstanding, misrepresentation by media, and a "highly-charged political environment." Poindexter insisted that the Total Information Awareness project -- a surveillance system employing a centralized global database of individuals' personal data -- was not a threat to privacy. "We never contemplated spying and saving data on Americans," wrote Poindexter. "We only wanted to find specific patterns of activities that would lead us to foreign terrorists." While Poindexter's resignation, and severely curtailed funding for the project, leave the future of TIA in doubt, a new state-level system in Florida may serve much the same function. Police agencies in the state are currently developing a centralized database surveillance system similar in structure to TIA, with funding assistance from both the Justice Department and the Department of Homeland Security. The system, dubbed Matrix, would enable investigators to find patterns and links among people and events using a combination of police records and commercially available personal data. At least 135 police agencies have signed up for the service, which is poised to expand to other states across the country. The text of Poindexter's resignation letter is available at: http://www.epic.org/privacy/profiling/tia/poindexterletter.pdf More information about the TIA system is available at EPIC's Total Information Awareness Page: http://www.epic.org/privacy/profiling/tia/ Read more about Florida's new centralized Matrix surveillance system at "U.S. Backs Florida's New Counterterrorism Database," Washington Post, August 6, 2003: http://www.epic.org/redirect/washpost_databse.html ====================================================================== [2] Tampa Police Drop Failing Face Recognition System ====================================================================== The Tampa Police Department has abandoned the face recognition software used in conjunction with its video surveillance cameras, citing the system's failure to recognize anyone wanted by the authorities over a two-year period. Tampa authorities first used the technology during the 2001 Super Bowl -- without any success -- when they systematically scanned every attendee's face to compare it with a list of suspects' mug shots. The system used in Tampa never led to any arrests or positive identifications, though occasionally wrongly identified innocent people as wanted felons. Face recognition technology is one of the tools used in biometrics, the science of identifying people using parts of their bodies. Coupled with video surveillance, the technology captures "signatures" of faces on high-resolution cameras and compares them with mug shots in police databases, which generally include people with outstanding felony warrants, and those on the FBI's "most wanted" list and terrorist watchlists. Face recognition technology has never been proved to be reliable. Studies sponsored by the U.S. Department of Defense have shown the system is accurate only fifty-four percent of the time and can be significantly compromised by changes in lighting, weight, hair, sunglasses, subject cooperation, and other factors. Likewise, tests on the face recognition systems in operation at Palm Beach Airport in Florida have shown the technology to be ineffective and error-ridden, leading authorities to forego use of face-recognition equipment. In Virginia Beach, Virginia, police use of the technology has not resulted in the apprehension of a single wanted person in over a year. In Washington, DC, the Metropolitan Police Department (MPD) two years ago began installing a wide network of cameras without prior authorization from the City Council. Last year, under pressure from Congress, the Council and civil liberties organizations, the MPD agreed to comply with a set of video surveillance guidelines. The guidelines do not, however, regulate the use of facial recognition tools. Although the technology apparently has never been used in conjunction with the DC cameras, nothing would prevent the police from doing so; the MPD has always left open that possibility and has acknowledged that its cameras could easily operate with face recognition tools. A bill pending in the DC Council would flatly prohibit any use of face recognition technology without specific legislative authorization. The United States Park Police, a federal agency with jurisdiction over DC's federal lands, recently released a "Closed Circuit Television Policy" that leaves open the possibility of using the technology with its cameras located on the Mall and other federal areas of the nation's capital. More information about video surveillance is available at: http://www.epic.org/privacy/surveillance/ More information about face recognition is available at: http://www.epic.org/privacy/facerecognition/ Information about EPIC's Observing Surveillance project is available at: http://www.observingsurveillance.org/ ====================================================================== [3] CA Passes Strongest Financial Privacy Standard in the Nation ====================================================================== California will soon have the strongest financial privacy protections in the country as the result of the passage of SB 1, the California Financial Information Privacy Act. Introduced by State Senator Jackie Speier (D-San Mateo), passage of the bill followed a critical compromise among the bill's sponsors, privacy advocates, and the financial services industry. Governor Gray Davis is expected to sign the bill into law within the next ten days, which will end a four-year debate in the State on financial privacy and the progress of a stronger initiative movement that would have required opt-in for all disclosures of personal information. Under the federal Gramm-Leach-Bliley Act, financial services companies must give notice of their privacy policies and allow individuals to opt out of information sharing among non-affiliated companies. Accordingly, financial services companies can transfer information amongst corporate affiliates over a customer's objection, and can fashion "joint marketing" agreements to circumvent the wishes of individuals who opt out. Under the new law, Californians will be able to opt out of some affiliate sharing, and opt-in will be required before financial services companies sell information to non-affiliates. Certain affiliates -- those regulated by the same agency and that operate in the same line of business -- will be able to transfer data even if a customer opts out. The bill requires financial institutions to provide consumers with a self-addressed envelope for opting out. Institutions will not be able to deny services to those who choose to restrict the exploitation of personal information. The ultimate fate of these protections is unclear. A recent decision in Bank of America v. Daly City (see EPIC Alert 8.16) struck down regulations of affiliate sharing enacted by several California cities. It is likely that the financial services industry, despite agreeing not to oppose SB 1, will file suit to have the affiliate sharing provisions invalidated. The impending suit should not affect provisions of the law on notice and non-affiliate sharing. However, Congress could take action this fall, and apply the California standard to the entire country when considering amendments to the federal Fair Credit Reporting Act. The text of SB 1 is available at: http://www.epic.org/redirect/sb_1.html More information about the Gramm-Leach-Bliley Act is available at: http://www.epic.org/privacy/glba/ More information about the Fair Credit Reporting Act is available at: http://www.epic.org/privacy/fcra/ Additional information about federal financial privacy law is available at: http://www.epic.org/privacy/rfpa/ ====================================================================== [4] EPIC Releases Fact Sheet on Homeless Tracking Systems ====================================================================== EPIC has published a fact sheet on Homeless Management Information Systems (HMIS) (see EPIC Alert 10.16). HMIS are database systems that the Department of Housing and Urban Development (HUD) is requiring shelters to maintain. Under the proposed guidelines, federally funded shelters and other care organizations will be required to collect unique identifiers, as well as physical and mental health information on each benefits recipient. There are specific provisions that require the collection of HIV and pregnancy status. Homeless tracking presents a number of privacy and civil liberties concerns. First, HMIS lays the infrastructure for a nationwide system of homeless tracking. The proposed guidelines mandate consistency in data collection, and the ability to export all data in the system to a common format. This raises substantial risks for those living with HIV, physical or mental health disabilities, or others who have conditions that potentially subject them to stigma or discrimination. Second, government access to the database is nearly unlimited. Under the proposed guidelines, system users can disclose information from the database to Secret Service or agents of a national security agency without any showing of an emergency, a court order, or even a risk of attack. Law enforcement access is more limited, but nevertheless, HUD is not requiring police to obtain warrants or court orders before releasing HMIS data. Third, HMIS places victims of domestic violence at heightened risk of harm. Many victims flee violent partners by staying in shelters, and HMIS may provide opportunities for malicious actors to locate their victims. The EPIC fact sheet argues that HUD should seek less invasive alternatives to evaluate the effectiveness of benefits and support for the poor. For instance, HUD could perform a census on a specific day to obtain an unduplicated count of the homeless staying in particular shelters. Such a census would not require the collection of personal identifiers or tracking over time, and would be less expensive. The public can comment on HMIS until September 22, 2003 by mail to HUD. No provision for electronic or fax submissions has been arranged. Comments should be addressed to: Michael Roanhouse Re: Doc. No. FR 4848-N-01 / HMIS Data Office of Special Needs Assistance Programs Office of the Assistant Secretary for Community Planning and Development Room 7262 HUD 451 7th St. SW Washington, DC 20410 EPIC's Homeless Tracking Fact Sheet is available at: http://www.epic.org/privacy/poverty/hmisfactsheet.pdf HUD's proposed HMIS Guidelines are available at: http://www.epic.org/privacy/poverty/hmis.pdf More information about privacy and the homeless is available at: http://www.epic.org/privacy/poverty/ ====================================================================== [5] Maryland Governor Orders Audit of Electronic Voting Machines ====================================================================== Less than two weeks after Johns Hopkins University computer scientists released a report criticizing security flaws in Diebold voting machines (see EPIC Alert 10.16), Maryland Governor Bob Ehrlich has ordered an independent review of the 11,000 touch-screen AccuVote-TS voting machines that the state of Maryland agreed to purchase from Diebold for $55.6 million. Maryland officials had intended the electronic voting system to be used in the presidential primary election next spring. Maryland retained Science Application International Corporation, an international computer security firm, to evaluate the Diebold machines and their proprietary code. If the firm is not satisfied with the machines' security, the state may request that Diebold make improvements or cancel the purchase altogether. Ehrlich's order supports the position of a Maryland state panel that asked the state not to purchase new voting technology without a better understanding of its accuracy and security risks, a request which Maryland denied. State elections board officials expressed little interest in delaying the purchase prior to Ehrlich's order, claiming that state and federal law require Maryland to improve its voting systems as soon as possible. The Johns Hopkins researchers' study concluded last month that AccuVote-TS voting machines, the same machines Maryland agreed to purchase from Diebold, could be easily manipulated by hackers, voting insiders and others to produce skewed voting results. The press release from Governor Ehrlich's office announcing the review order is available at: http://www.gov.state.md.us/PressReleases/080603-votingsystems.asp The Johns Hopkins researchers' report "Analysis of an Electronic Voting System" is available at: http://www.avirubin.com/vote.pdf More information about electronic voting is available at: http://www.verifiedvoting.org ====================================================================== [6] News in Brief ====================================================================== Mississippi District Installs Webcams in Classrooms A school district in Biloxi, Mississippi became the first in the nation to install a system of Internet-wired video cameras, nearly 500 total, to monitor its classrooms and hallways 24 hours a day. The district, which enrolls 6,300 students, cited security concerns as the basis for its camera use. Only designated school officials and security personnel are permitted to view the images, which can be displayed on computers linked to the Internet. Other school districts in the U.S. and Britain are beginning to experiment with classroom webcams, as well. Additional information about student privacy is available at: http://www.epic.org/privacy/student/ Presidential Commission Proposes Monitoring Mail The President's Commission on the Postal Service has recommended that the postal agency collaborate with the Department of Homeland Security to study the development of sender-identification requirements for all mail. A proposed system, called "Intelligent Mail," would use tracking codes to verify who sends and receives mail. The commission cited the system as a way to improve the security of the postal network, as well as a means of enabling businesses and consumers track their mail. Critics, however, warn that eliminating the ability to send anonymous mail could infringe on individual privacy rights. The final report of the President's Commission on the Postal Service is available at: http://www.ustreas.gov/offices/domestic-finance/usps/ EPIC Introduces Five New Web Pages The Electronic Privacy Information Center has added five new web pages to its site, focusing on RFID tags; credit scoring; polygraph testing; the Privacy Protection Act of 1980; the Right to Financial Privacy Act; and privileges. In addition, privacy.org provides a daily update of new developments on privacy-related issues. EPIC's new RFID Page is available at: http://www.epic.org/privacy/rfid/ EPIC's new Credit Scoring Page is available at: http://www.epic.org/privacy/creditscoring/ EPIC's new Polygraph Testing Page is available at: http://www.epic.org/privacy/polygraph/ EPIC's new Privacy Protection Act of 1980 Page is available at: http://www.epic.org/privacy/ppa/ EPIC's new Right to Financial Privacy Act Page is available at: http://www.epic.org/privacy/rfpa/ EPIC's new Privileges Page is available at: http://www.epic.org/privacy/privileges/ For up-to-date news on new developments on privacy-related issues, visit: http://www.privacy.org ====================================================================== [7] EPIC Bookstore: Protecting Your Money, Privacy and Identity ====================================================================== Jim Gaston & Paul Wing: Protecting Your Money, Privacy and Identity from Theft, Loss and Misuse (The Canadian Institute of Chartered Accountants 2003). http://www.cica.ca/ There is no lack of writing and warnings out there about the need to protect yourself and your assets these days, but it is hard to find a book you would give your aging mother to read to help her get up the courage to bank online. This new publication, although focused on the Canadian environment, is a very useful contribution to the literature. We still long for the republication and updating of the now out-of-print classic "The Privacy Rights Handbook: How to Take Control of Your Personal Information," by Beth Givens of the Privacy Rights Clearinghouse, but there is no sign of that happening soon. In the meantime, Gaston and Wing have done a great job of organizing the daunting task of protecting your own personal information. They are banking and Internet security experts, and have included a number of useful tips about everyday e-commerce tasks. This is a calm and sober walk through the mysteries of protecting your personal information, with a family perspective. There is a certain amount of repetition in the book, because it is organized into chapters which naturally have overlap (sensitive information at home and away, communications and transactions, debit cards and credit cards, seven chapters on all aspects of protecting your computer, your transactions, your email, etc.). Activities are rated in terms of risk, and there are summaries of "Practical Steps to Protect Yourself" in each chapter under each theme, such as dealing with telephone inquiries, sending and receiving faxes, and using wireless connections. More computer literate readers will doubtless argue with some of the advice, or complain that it is not detailed enough. This book is aimed at the general reader, though, and one of the biggest problems we have to deal with in teaching good privacy and security practices is the fact that the average user is very easily overwhelmed by technical information. There are useful workbooks at the back of the book, and a short glossary. The book could be more useful for the reader who wants to learn more if it included a bibliography for further reading. There is no discussion of the problems of particular platforms, hardware and software -- obviously a deliberate choice -- but there is no question these decisions make a difference to risk. Finally, once everyone follows the advice and gets virus scanners and firewalls, managing them could be dealt with in more detail. --Stephanie Perrin ================================ EPIC Publications: "The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2002: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $25. http://www.epic.org/bookstore/phr2002/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including data protection, telephone tapping, genetic databases, video surveillance, location tracking, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Voting Machines: A Threat To Democracy? The Ethical Society. September 7, 2003. Philadelphia, Pennsylvania. For more information: http://www.phillyethics.net Surveillance and Privacy 2003: Terrorists and Watchdogs. Baker & McKenzie Cyberspace Law and Policy Centre and University of New South Wales Law Faculty. September 8-9, 2003. Sydney, Australia. For more information: http://www.bakercyberlawcentre.org/2003/Privacy_Conf/ 25th International Conference of Data Protection and Privacy Commissioners. September 10-12, 2003. Sydney, Australia. For more information: http://www.privacyconference2003.org/ WWW2003: 5th Annual Conference on World Wide Web Applications. Department of Information Studies, Rand Afrikaans University, and the Department of Information Systems and Technology, University of Durban-Westville. September 10-12, 2003. Durban, South Africa. For more information: http://www.udw.ac.za/www2003/ Making Intelligence Accountable, September 19-20, 2003. Oslo, Norway. The Geneva Centre for the Democratic Control of Armed Forces. For more information: http://www.dcaf.ch/news/Intel%20Acct_Oslo%200903/ws_mainpage.html The State of Accountable Government in a Surveillance Society. Office of the Information and Privacy Commissioner for British Columbia. September 25-26, 2003. Victoria, British Columbia. For more information: http://www.oipc.bc.ca/anniversary/ Privacy2003. Technology Policy Group. September 30-October 2, 2003. Columbus, OH. For more information: http://www.privacy2000.org/2003/index.html UbiComp 2003 Privacy Workshop. October 12, 2003. Seattle, WA. For more information: http://guir.berkeley.edu/pubs/ubicomp2003/privacyworkshop/ Getting the Technology You Deserve: Community Participation in Regional Cable Franchise Policy. Computer Professionals for Social Responsibility. October 25, 2003. Seattle, Washington. For more information: http://www.cpsr.org/conferences/annmtg03/ ICANN Meeting. Internet Corporation for Assigned Names and Numbers. October 27-31, 2003. Carthage, Tunisia. For more information: http://www.icann.org/carthage/ RFID Privacy Workshop. Massachusetts Institute of Technology. November 15, 2003. Boston, Massachusetts. For more information: http://www.rfidprivacy.org Localizing the Internet: Ethical Issues in Intercultural Perspective. International Center for Information Ethics. October 4-6, 2004. Karlsruhe, Germany. For more information: http://icie.zkm.de/congress2004 ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via e-mail: To: epic_news-request@mailman.epic.org Subject: "subscribe" or "unsubscribe" (no quotes) Automated help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Problems or questions? e-mail < info@epic.org > Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 10.17 ---------------------- .