======================================================================= E P I C A l e r t ======================================================================= Volume 10.21 October 17, 2003 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_10.21.html ====================================================================== Table of Contents ====================================================================== [1] EPIC Sues DOJ for PATRIOT Act Lobbying Info [2] Canada's Biometric ID Plan Under Fire [3] EPIC, PIRG Submit Comments on Bank Security Notices [4] Senate Passes Genetic Privacy Measure [5] European Parliament Opposes Air Travel Data Transfer [6] News in Brief [7] EPIC Bookstore: Corporateering [8] Upcoming Conferences and Events ====================================================================== [1] EPIC Sues DOJ for PATRIOT Act Lobbying Info ====================================================================== EPIC filed suit in federal district court this week seeking the release of Department of Justice (DOJ) records regarding the efforts of federal prosecutors to oppose legislative revisions to the controversial USA PATRIOT Act. The lawsuit challenges DOJ's refusal to expedite the processing of EPIC's Freedom of Information Act (FOIA) request for the material. On July 22, the House of Representatives voted 309-118 to prohibit the use of federal funds for the execution of delayed notice search warrants. "Sneak and peek" warrants, which were authorized by the USA PATRIOT Act, allow law enforcement officers to conduct a search of an individual's property and delay notifying that individual until after the search occurred. On August 14, DOJ issued a memorandum urging all U.S. Attorneys "to call personally or meet with . . . congressional representatives" to talk over "the potentially deleterious effects" of denying funding for delayed notification warrants. The memo included a list of Representatives and identified those who had voted to prohibit such warrants. The memorandum received substantial media coverage and raised serious questions regarding the legality of the prosecutors' lobbying efforts. EPIC submitted a FOIA request to DOJ for information about the memorandum, and requested expedited processing, as provided under the FOIA and DOJ regulations. The department refused to expedite on the grounds that "the subject of [EPIC's] request is not one of exceptional media interest, nor does it raise any questions about the government's integrity which might affect public confidence." Furthermore, DOJ determined that EPIC's request "does not support a finding that that there is an urgency to inform the public" about DOJ's lobbying campaign. EPIC filed suit October 14, seeking a preliminary injunction requiring DOJ to process EPIC's request and release the documents as soon as possible. In support of its entitlement to expedited processing, EPIC noted widespread media interest in the DOJ memorandum and cited editorials and news articles questioning the propriety of the prosecutors' lobbying activities. EPIC's memorandum in support of its motion for a preliminary injunction is available at: http://www.epic.org/open_gov/foia/otter-pi.pdf For background information, see EPIC's USA PATRIOT Act page: http://www.epic.org/privacy/terrorism/usapatriot ====================================================================== [2] Canada's Biometric ID Plan Under Fire ====================================================================== The proposal by the Immigration Minister to implement a system of biometric identification in Canada has met with a blast of public opposition since its inception last year. In the face of concerns over terrorism, and in the interest of furthering commerce and travel, the program aims to encode biometric identifiers -- such as iris scans, fingerprints and hand geometry -- onto ID cards in order to guarantee that each Canadian is who he or she claims to be. A biometric identifier is any physical characteristic of a person that can be recorded and matched against a person. An interim report issued by the House of Commons quotes the Minister as stating: "The card provides certainty because of the security around its issuance and the technology used in the card." However, the report referred to polls and the testimony of several experts to show that support for the biometric IDs is not strong. The report also cautioned that biometric IDs "could have wide implications for privacy, security and fiscal accountability," and proposed that the government receive more feedback from the public-at-large. At the same time, a report by Citizenship and Immigration Canada, a department of the Canadian government, found that most people predict that biometric identifying IDs will be found in all Canadians' wallets within the next ten years. The report was released at a two-day conference held to encourage discussion of the use of biometric identifiers and a national ID card and lay out how the policy would be implemented. Stephanie Perrin, President of Digital Discretion Company, Inc. and senior fellow at EPIC, addressed privacy concerns at the conference. She urged caution and pointed to several inherent problems with the policy, including the rapid implementation, the security of the information, persons unable to produce a certain biometric identifier, and other abuses and discriminations that are likely to result. Another concern is cost. Governmental forecasts of the financial cost of the project range from 3 to 7 billion dollars ($2.3 to $5.3 in USD). However, foreign watchdog groups that have studied similar plans in other countries insist these projections are likely too low. Not all government officials are on board with the plan. Canada's Interim Privacy Commissioner recently issued a statement, warning of the complexity, risks and costs of the program. He stated that identification cards "allow us to be identified even in situations where we have every right to remain anonymous" and warned that "without technical limitations and strict controls on their use, they are a power tool to link together our various activities and produce profiles of our lives." There are indications that public opposition may be turning the tides. Earlier this month, the Minister was reported to back-peddle on his one-mechanism approach to verifying citizen identity. In a statement, the Minister proposed a more incremental approach. The second approach would implement biometric technology into existing government-issued documents, instead of just one card. Visit the Citizenship and Immigration Canada conference web site at: http://www.cic-forum.ca For additional information on ID cards, see EPIC's National ID page at: http://www.epic.org/privacy/id_cards/ For addtional information on biometrics, see EPIC's Biometrics page at: http://www.epic.org/privacy/biometrics/ ====================================================================== [3] EPIC, PIRG Submit Comments on Bank Security Notices ====================================================================== EPIC, in conjunction with the U.S. Public Interest Research Group (PIRG), has submitted comments to the Department of the Treasury regarding proposed guidance on security notices to bank customers, in accordance with the Gramm-Leach-Bliley Act. The groups urged the agency to strengthen its guidelines, which specify when a financial institution must give notice to a customer when personal information has been accessed without authorization. The groups called on the agency to require financial institutions to institute monitoring systems to detect unauthorized access to personal information. Being aware of breaches in security is critical to maintaining the integrity of the customer information systems and responding appropriately to violations. The comments also noted that the proposed guidance leaves room for broad interpretation as to when financial institutions should provide their primary Federal regulator with notice of a security breach. Hence, the comments urged that an institution should promptly report any incidents of unauthorized access generally, rather than only when customer information is actually used. The groups also noted that specific guidance is needed as to the method and content of notification, and that the agency should include a certification requirement as part of its notification standard. In regards to consumer communication, the comments praised the agency for not allowing any circumstances that may delay notification of the affected customers. However, the groups made several suggestions for improving the means of notifying consumers. The EPIC and U.S. PIRG comments are available at: http://www.epic.org/privacy/glba/noticecomments.html The Treasury's proposed guidelines are available at: http://www.epic.org/redirect/treasury.html For background information, see EPIC's Gramm-Leach-Bliley Act page at: http://www.epic.org/privacy/glba/ ====================================================================== [4] Senate Passes Genetic Privacy Measure ====================================================================== The Senate, in a bipartisan effort, unanimously passed the Genetic Information Nondiscrimination Act of 2003 (S.1053) earlier this week. The legislation, sponsored by Sen. Olympia Snowe (R-ME), prohibits discrimination in health insurance by employers' group health plans and by health insurance issuers on the basis of genetic information. Group health plans and health insurers are forbidden to limit enrollment or vary premiums on the basis of genetic information or on the basis of an individual's request for genetic tests or services such as genetic counseling. They are also prohibited from requesting or requiring genetic tests. Genetic information is broadly defined to include an individual's genetic tests, genetic tests of an individual's family, or occurrence of diseases or disorders in the family history. Employers are prohibited from discriminating in hiring, promotions or in any other way on the basis of genetic information or on the basis of a request for genetic services. Employers are prohibited from requiring genetic tests or from purchasing genetic information. Employers are permitted to engage in genetic monitoring of the biological effects of toxic substances in the workplace when such monitoring is required by state or federal law, but may do so only with prior written notice and authorization of employees. Employment agencies and labor organizations are also prohibited from discriminating on the basis of genetic information. The legislation will now go to the House of Representatives, which is likely to act on it next year. Senate sponsors, however, are urging speedier action, and hope that Senate and White House support will encourage the House to take up the issue this year, rather than next. Read the Genetic Information Nondiscrimination Act of 2003 at: http://www.epic.org/privacy/genetic/genprivacybill.pdf Read Sen. Snowe's statement on the legislation at: http://www.senate.gov/~snowe/pressap/record.cfm?id=213353 For background information, see EPIC's Genetic Privacy page at: http://www.epic.org/privacy/genetic/ ====================================================================== [5] European Parliament Opposes Air Travel Data Transfer ====================================================================== On October 9, the European Parliament overwhelmingly passed a resolution concerning airlines' transmission of personal data to the United States. In doing so, the Parliament made clear the position of the European Union on negotiations with the U.S. The resolution not only details various concessions the European Commission must require of the United States, but requires that the Commission act within two months, or else be brought to the Court of Justice by the European Parliament for failure to do so. The resolution reveals the increasing urgency of an agreement on the issue, stating that it is imperative that passengers, airlines and reservation systems receive clear indications as soon as possible on which measures are to be taken in response to the demands made by the U.S. authorities. The details of the resolution were partially shaped by the recommendations made by the International Conference of Data Protection and Privacy Commissioners held in Sydney in September. The commissioners recommended that international transfers of data should be made within the framework of international agreements defining the conditions necessary for ensuring data protection, the clear targets that justify the collection of data, a specific and not excessive number of items of data, strict limits on the storage period, the provision of adequate information to the persons concerned, and mechanisms to correct possible errors. The Parliament urged the EC to determine what data may legitimately be transferred by airlines and/or computerized information systems to third parties. In doing so, the EC is asked to consider ways to prevent discrimination against non-U.S. passengers and retention of data beyond the length of a passenger's stay on U.S. territory. The EC should require that passengers be fully and accurately informed prior to purchase and their consent be mandatory for data transfer to the U.S. It should also seek to increase passenger access to a "swift and efficient appeals procedure should any problem arise." The requirements of the European Parliament concerning the transfer of personal data by airlines have not changed substantially since previous resolutions. What has changed is the impatience of the Parliament with the prolonged process, including the time allotted to reach an international agreement, and their quest for alternative ways to heighten airline security. The EC has been given a two month time frame as well as a warning of repercussions should it not comply. The resolution now calls on the EC within this time frame to deny airlines and computerized information systems any access and/or transfer, which is not in accordance with the principles. The text of the October 9 European Parliament resolution is available at: http://www.epic.org/privacy/airtravel/profiling/epresolution.html For background information, see EPIC's passenger profiling page at: http://www.epic.org/privacy/airtravel/profiling.html The September 2003 resolution passed by the Data Protection & Privacy Commissioners is available at: http://www.epic.org/news/Comm03.html ====================================================================== [6] News in Brief ====================================================================== DO-NOT-CALL REGISTRY BACK IN EFFECT, PENDING APPEAL The Federal Trade Commission's Do-Not-Call registry is back in effect, thanks to a decision by the U.S. Court of Appeals for the 10th Circuit. The court issued a stay of a Colorado District Court's injunction barring enforcement of the Do-Not-Call registry. The lower court had found the registry to be a violation of free speech, but that decision was appealed by the FTC, with oral arguments set to be heard on November 10. The appellate court ruled that the FTC should be able to implement the Do-Not-Call registry in the meantime, finding that the FTC demonstrated a substantial likelihood of success on the merits in appeals. The FTC has re-opened registration to the Do-Not-Call list and is now taking complaints from consumers regarding telemarketing violations. The 10th Circuit's decision is available at: http://www.ck10.uscourts.gov/circuit/031429.pdf For background information, see EPIC's Do-Not-Call page at: http://www.epic.org/privacy/telemarketing/dnc.html SUPREME COURT SET TO REVIEW CHILD ONLINE PROTECTION ACT The Supreme Court announced it will hear arguments on the Child Online Protection Act (COPA), a law passed by Congress in 1998 with the intent of limiting children's access to Internet pornography. COPA was immediately challenged by EPIC, the ACLU and other groups on free speech grounds and has been stuck in legal limbo ever since. The U.S. Court of Appeals for the 3rd Circuit has twice struck down the law, and the Bush administration has appealed both times. Oral arguments in the case -- Ashcroft v. ACLU, No. 03-218 -- will take place in early 2004 and a decision is expected by July. For background information, see EPIC's Child Online Protection Act page
at: http://www.epic.org/free_speech/censorship/copa.html REPORT SLAMS WEBSITE PERSONALIZATION A new report by Jupiter Research found that personalizing websites for marketing purposes was costly and ineffective. The report, entitled "Beyond the Personalization Myth," stated that companies would be better served by improving site basics, such as navigation, rather than tailoring pages according to information gathered about individual visitors. The study also found that operating a personalized Web site cost more than four times more than operating a "comparable dynamic site." Jupiter reported that users were not overly fond of personalized sites, due greatly to privacy concerns. In fact, more than 25 percent of consumers surveyed by Jupiter said they avoided Web site customization because of concerns that marketers would misuse the information. Information about the report is available at: http://news.com.com/2100-1038-5090716.html ICANN TO CONSIDER WHOIS PRIVACY IN CARTHAGE ICANN will hold a WHOIS Workshop on October 29, 2003 in Carthage, Tunisia. At this workshop, privacy concerns of Internet domain name registrants will be discussed. The Non-Commercial Users Constituency is proposing several policy changes to WHOIS that would minimize the amount and type of personal data that an individual must disclose and protect such sensitive personal data from unrestricted public access. The Public Interest Registry, which manages the .ORG domain, has also made recommendations to improve privacy for WHOIS data. The ICANN Carthage WHOIS Workshop Agenda is available at: http://www.icann.org/carthage/whois-workshop-agenda.htm For background information, see EPIC's WHOIS Privacy page: http://www.epic.org/privacy/whois/ TECH ROUNDTABLE DISCUSSES USING RFID TAGS ON CHILDREN On October 8, the High Tech Child Safety Roundtable met at the George Washington University to discuss the use of wireless networking to track the location of children for their safety. Specifically, the panel focused on embedding RFID tags in children's clothing, shoes, pins, ID cards, and other items to monitor the location of a child. However, the systems discussed would track children only while within range of a school or other location that had deployed the technology; such system would be similar in effect to video surveillance or a parent watching their child. The Roundtable further addressed technical implementation issues and data access problems arising from such a system. See the High Tech Child Safety Roundtable site at: http://www.kidlocate.org For background information, see EPIC's RFID page at: http://www.epic.org/privacy/rfid/ INTERNATIONAL CONSUMER GROUP LAUNCHES SPAM SURVEY The Transatlantic Consumer Dialogue, which represents EU and U.S. consumers, has launched an online survey to assess consumers attitudes on spam email. The results of the survey will be announced to senior officials from OECD governments and representatives of the international press in February 2004. The survey is available at: http://www.net-consumers.org/erica/spamsurvey.htm ===================================================================== [7] EPIC Bookstore: Corporateering ====================================================================== Jamie Court, Corporateering: How Corporate Power Steals Your Personal Freedom and What You Can Do About It_, Tarcher/Putnam (2003). http://www.powells.com/cgi-bin/biblio?inkey=8-1585422282-0 Ralph Nader claimed that when he wants to listen to classical music he no longer needs a radio; instead he calls a major airline and waits on hold for a representative. Jamie Court in "Corporateering" takes note of dozens similar annoyances and weaves them into a broader argument that corporations increasingly "have strained and drained people's most vital resources, including their money, energy, time, health, safety, rights, and their own power." Many of Court's examples of irresponsible behavior involve privacy, including the traffic in personal information and invasive marketing to children. Court argues that corporations have exceeded their roles as marketplace actors to a position where they dominate culture and trample on individual rights. Court, the Director of the Foundation for Taxpayer and Consumer Rights, an assertive California-based non-profit, begins this work with a definition of corporateer: "v. to prioritize commerce over culture; n. one who prioritizes commerce over culture." The book details how corporations have abused power to corner markets, to deceive individuals, and to infect the public sphere with mindless commercialism by naming sports venues and other public places for corporations which used to be named for great men. One of the most remarkable portions of the book is a summary of a legal memorandum written by Lewis Powell before his appointment to the Supreme Court. It details how business can capture the public sphere, and assert power over the individual. The Powell memo advocated a massive pro-business public relations effort and much of it has crystallized. For instance, one of Powell's suggestions was to create a community of scholars to promote business interests. Today, groups like the American Enterprise Institute, whose "academics" have the same level of scholarly independence as a professor of theology at Bob Jones University, dominate the scene of Washington policymaking, issuing endless reports trumpeting their theology of Mammon: public bad, private good. Amen. The book concludes with a series of recommendations for individuals who wish to counter irresponsible business power. Thorough appendixes suggest laws, institutions, and a new lexicon that could be employed to empower the individual. Court's work would benefit from a more prominent disclaimer that not all corporate activity is bad. A lack of recognition of this fact weakens his argument (his non-profit technically is a corporation, for instance). Nevertheless, Court's book is well written and insightful and one can hear the influence of Frederick Douglass in his call to action: "Small evils quickly become large ones when nourished by institutions as powerful as modern corporations and not responded to by individuals." -Chris Jay Hoofnagle ================================ EPIC Publications: "The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2003: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $35. http://www.epic.org/bookstore/phr2003/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty-five countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Grassroots America Defends the Bill of Rights - National Conference. Grassroots America (co-sponsored by EPIC). October 18-19, 2003. Silver Spring, MD. For more information: http://www.grassroots-america.org/. Security Laws and Privacy Seminar. Riley Information Service Inc. October 20, 2003. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/index.html 8th Symposium on Privacy and Security - Identity and Anonymity in an Increasingly Interconnected World. Swiss Federal Institute of Technology. October 21-22, 2003. Zurich, Switzerland. For more information: www.privacy-security.ch Getting the Technology You Deserve: Community Participation in Regional Cable Franchise Policy. Computer Professionals for Social Responsibility. October 25, 2003. Seattle, Washington. For more information: http://www.cpsr.org/conferences/annmtg03/ Reporting Cyberterrorism. The Newseum and Carnegie Mellon University. October 27, 2003. Washington, DC. For more information: (703) 284-3527. ICANN Meeting. Internet Corporation for Assigned Names and Numbers. October 27-31, 2003. Carthage, Tunisia. For more information: http://www.icann.org/carthage/ IAPP Privacy and Data Security Academy and Expo. October 29-31, 2003. Chicago, IL. For more information: http://www.privacyassociation.org Business for Social Responsibility Annual Conference - Building and Sustaining Solutions. November 11-14. Los Angeles, CA. For more information: http://www.bsr.org RFID Privacy Workshop. Massachusetts Institute of Technology. November 15, 2003. Boston, Massachusetts. For more information: http://www.rfidprivacy.org American Society of Access Professionals Workshop. November 18-19, 2003. St. Louis, Missouri. For more information: http://www.acesspro.org Media Freedoms and the Arab World. The Arab Archives Institute. December 6-8, 2003. Amman, Jordan. For more information: email aainstitute@yahoo.com or see http://www.ijnet.org/FE_Article/newsarticle.asp?UILang=1&CId=115794& CIdLang=1. WHOLES - A Multiple View of Individual Privacy in a Networked World. Swedish Institute of Computer Science. January 30-31, 2004. Stockholm, Sweden. For more information: http://www.sics.se/privacy/wholes2004. Securing Privacy in the Internet Age. Stanford Law School. March 13-14, 2004. Palo Alto, CA. For more information: http://cyberlaw.stanford.edu/privacysymposium/. International Conference on Data Privacy and Security in a Global Society. Wessex Institute. May 11-14, 2004. Skiathos, Greece. For more information: http://www.wessex.ac.uk/conferences/2004/datasecurity04/index.html. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via e-mail: To: epic_news-request@mailman.epic.org Subject: "subscribe" or "unsubscribe" (no quotes) Automated help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Problems or questions? e-mail < info@epic.org> Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 10.21 ---------------------- .