======================================================================
E P I C A l e r t
======================================================================
Volume 11.23 December 8, 2004
----------------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_11.23.html
======================================================================
Table of Contents
======================================================================
[1] EPIC FOIA Request Shows CIA Funded Internet Surveillance in U.S.
[2] Free Credit Reports Available; Credit Agencies Block Links to Them
[3] Congress Establishes Privacy Offices in Federal Agencies
[4] United Kingdom Takes Steps Toward National ID Card
[5] Global Coalition Launches Anti-Fingerprint Campaign in Europe
[6] News in Brief
[7] EPIC Bookstore: The Digital Person
[8] Upcoming Conferences and Events
======================================================================
[1] EPIC FOIA Request Shows CIA Funded Internet Surveillance in U.S.
======================================================================
Documents recently obtained by EPIC under the Freedom of Information
Act reveal details about a joint effort between the CIA and the
National Science Foundation to fund a program that, among other
things, is researching ways to monitor online chat rooms for terrorist
activities.
According to a Memorandum of Understanding signed by the CIA on April
14, 2003, and the NSF on April 16, 2003, the agreement was reached
after a workshop held by the intelligence community and NSF in
November 2002. The memo shows that the program's research concentrates
on energy sources, sensors and detectors, image reconstruction and
analysis, optical spectography, and mathematical techniques. According
to the document, NSF contributed $2.50 million in FY2003 and another
$2.5 million in FY2004 toward the program. The total amount provided
by the CIA is not given, but the memo states that NSF's contribution
is 70 percent of the total. The document says that the initiative was
to remain in effect through FY2004 and beyond.
EPIC also obtained a September 17, 2004, email from an unidentified
CIA official to Dr. Leland M. Jameson, the Program Director for
Computational and Applied Mathematics at the NSF. The email states,
"We gratified [sic] that the scientific community wants to help the
nation and contribute to the nation's security in a time of peril." It
continues, "As far as what we do with the technology -- we have
thorough oversight by the US Congress and we strictly follow all
applicable laws." The CIA email was sent in response to a September
17, 2004, news article about the chat room monitoring program and a
request for an interview of Jameson by a reporter in New Jersey.
Jameson informs the CIA official, "I will have to give another
interview. I was told the worst thing is for a reporter to write that
'the NSF refused to comment.'"
The documents came to light just a month after former recipients of
the Norbert Wiener Award, awarded annually by Computer Professionals
for Social Responsibility, expressed "concern about the significant
redirection in science funding toward the development of systems of
mass surveillance." The award winners said, "It is our view that this
research priority could pose a fundamental risk to political freedom,
privacy, and Constitutional liberty."
EPIC's Freedom of Information Act request:
http://www.epic.org/privacy/wiretap/nsf_foia.pdf
Memorandum of Understanding between the NSF and CIA:
http://www.epic.org/privacy/wiretap/nsf_mou.pdf
Email from CIA to Leland M. Jameson:
http://www.epic.org/privacy/wiretap/nsf_email.pdf
More information and FOIA documents are available at:
http://www.epic.org/privacy/wiretap/nsf_release
======================================================================
[2] Free Credit Reports Available; Credit Agencies Block Links to Them
======================================================================
As of December 1, residents of fourteen Western states can obtain a
free copy of their credit reports annually from Experian, Trans Union,
and Equifax. The copies can be requested online, by phone call, or by
writing to a postal address. Under a rollout schedule determined by
the Federal Trade Commission, those in the Midwest will be eligible
starting March 1, 2005; Southerners starting June 1, 2005, and East
coast residents starting September 1, 2005. These free reports are a
major consumer victory flowing from the 2003 passage of the Fair and
Accurate Credit Transactions Act (see EPIC Alert 10.25).
As of this writing, the credit reporting agencies have blocked
external web links to the free report site, claiming that links create
security risks. EPIC and a coalition of consumer and privacy groups
have urged the Federal Trade Commission to order the credit reporting
agencies to refrain from blacklisting links to the site. The
coalition letter argues that blocking links violates federal
regulations; that it drives down search engine rankings for the free
site, making it more likely that individuals will find a fee-based
site; and that "every subtle and not so subtle web design tactic has
been employed to make www.annualcreditreport.com difficult to find and
use. It appears this is unlikely to have occurred by accident,
because many of the tactics represent bad web design, mistakes that
only beginner HTML authors would make."
Despite the attempts of the credit reporting agencies to obscure the
free site, the availability of annual free credit reports is an
important right that individuals should exercise regularly. With a
free report from each of the credit reporting agencies, consumers can
engage in credit monitoring without paying expensive fees associated
with automated products marketed by Experian, Trans Union, and
Equifax. Individuals can simply request a free report from one
agency, and then wait four months to request a report from another,
and so on. By requesting one of the three reports every four months,
consumers will be able to keep an eye on their credit report and
minimize the fallout of identity theft.
The free report requirement also applies to "nationwide specialty"
credit reporting agencies, such as ChoicePoint and the Medical
Information Bureau, that collect and sell employment, tenant, medical,
and insurance reports.
Under a rollout schedule determined by the FTC, those in the Midwest
will be eligible starting March 1, 2005; Southerners starting June 1,
2005, and East coast residents starting September 1, 2005.
Free credit report site for Experian, Trans Union, and Equifax that
includes instructions for obtaining reports online, by phone, and by
mail:
https://www.annualcreditreport.com
EPIC redirect link for the free site:
http://epic.org/privacy/fcra/freereportredirect.html
EPIC letter on blocked hyperlinks to the free site:
http://www.epic.org/privacy/fcra/freereportltr.html
Free specialty report site for ChoicePoint:
http://www.choicepoint.com/factact.html
Free report site for the Medical Information Bureau:
http://www.mib.com/html/request_your_record.html
Federal Trade Commission final rule on free credit reports:
http://www.ftc.gov/opa/2004/06/freeannual.htm
EPIC comments on free credit reports:
http://epic.org/privacy/fcra/freereport.html
======================================================================
[3] Congress Establishes Privacy Offices in Federal Agencies
======================================================================
A massive appropriations bill recently passed by Congress includes
provisions that establishes privacy officers in federal agencies. This
action follows some of the 9/11 Commission's recommendations on
privacy and security.
Shortly after the Commission issued its report, EPIC and a coalition
of more than 40 civil liberties organizations sent a letter to members
of Congress outlining key points to consider as the House and Senate
craft legislation based on the 9/11 Commission recommendations. The
letter proposed ways to ensure that the goals of security and freedom
are both attained, specifically stating, "the appointment of Privacy
and Civil Rights and Civil Liberties Protection Officers for each
federal department would help ensure compliance with those
safeguards."
The coalition letter also stated, "routine public reporting should
also be established to ensure that the public is able to evaluate the
costs and benefits of information sharing with the federal
government." The recently passed appropriations bill also directs the
new privacy offices to have a third party review the how the agency
safeguards personally identifiable information it manages at least
once every two years.
The appropriations bill has been a lightning rod for privacy-related
conflict. Last month the House approved a version of the bill with a
provision that would have given two Congressional committee chairmen
access to any American's tax returns. The measure said, "Hereafter,
notwithstanding any other provision of law governing the disclosure of
income tax returns or return information, upon written request of the
chairman of the House or Senate Committee on Appropriations, the
commissioner of the Internal Revenue Service shall allow agents
designated by such chairman access to Internal Revenue Service
facilities and any tax returns or return information contained
therein." Both the House and Senate eventually voted to kill the
provision. House Minority Leader Nancy Pelosi (D-CA) denounced the
measure, saying, "it should be of grave concern to all Americans that
their privacy could be invaded by such an outrageous provision."
In Defense of Freedom coalition letter to Congress:
http://www.indefenseoffreedom.org/statements/9-11_letter.pdf
The text of H.R. 4818:
http://thomas.loc.gov/cgi-bin/bdquery/z?d108:HR04818:
The text of H.R. 5424:
http://thomas.loc.gov/cgi-bin/bdquery/z?d108:HR05424:
For more information about taxpayer privacy, see EPIC's Internal
Revenue Service Page:
http://www.epic.org/privacy/databases/irs
======================================================================
[4] United Kingdom Takes Steps Toward National ID Card
======================================================================
The United Kingdom government is going forward with its plans for a
mandatory national ID card in its Identity Cards Bill, recently
announced in the Queen's Speech, which sets out the government's
legislative program for the coming year. The bill was introduced in
the House of Commons several days ago.
The bill has not changed much from a draft published for consultation
in April, when it had been released over opposition from several
cabinet ministers including former Home Secretary (now Foreign
Secretary) Jack Straw. It has been strongly opposed by a wide variety
of groups in the UK including the Liberal Democrats party, the Law
Society and the Information Commissioner, and is expected to receive
serious scrutiny in the House of Lords. A public opinion poll,
commissioned by Privacy International earlier this year, found several
million people would conduct civil disobedience and one million would
go to jail before they submitted to the new card.
The Identity Cards Bill would require all citizens to get a new ID
card when they renew their passports. A central National Identity
Register would contain the name, current and previous addresses, place
of birth, identifying characteristics, nationality and immigration
status of every UK resident. Biometrics (fingerprints and iris scans)
would be stored on the card and in the database. The card and the
register would be necessary to seek employment, to gain access to
health and various other services, and would be used by police and
immigration officers. The proposed law gives the Home Secretary the
power to issue regulations to vastly expand the scope of the bill,
including making the card mandatory without needing changes to the
law. It would cost at least USD $12 billion to implement the new
identity scheme. The card is expected to be phased in over 10 years,
starting in 2007-08, by replacing existing drivers licenses and
passport cards.
Since 1952, the issue of national ID cards has come up every few years
in Great Britain and has been soundly rejected due to public
opposition. Shortly after September 11, 2001, Home Secretary David
Blunkett again proposed the card but was forced to back away after it
was severely criticized. It has subsequently been promoted as a means
to prevent illegal immigration, improve public services and to prevent
terrorism.
For more information about national ID, see EPIC's National ID Cards
Page:
http://www.epic.org/privacy/id_cards
More information on identity cards is available in Privacy and Human
Rights 2004:
http://www.epic.org/bookstore/phr2004
======================================================================
[5] Global Coalition Launches Anti-Fingerprint Campaign in Europe
======================================================================
EPIC joined a coalition of privacy officials, non-governmental
organizations, and individuals in sending an open letter to urge the
European Parliament to reject a proposed regulation that would require
biometric identification of all European citizens and residents by
taking their fingerprints and digital photographs and storing them in
police databases.
The letter argued that it is an unnecessary and rushed policy that
will diminish Europeans' right to privacy. It also recommended
additional oversight and the establishment of significant controls and
a strong legal framework on the new biometric databases put in place.
The coalition specifically recommended the removal of the
European-wide fingerprinting requirement, arguing that it is an
unnecessary and disproportionate measure to fight terrorism. The
letter referred to an academic analysis questioning the legal basis of
the proposal by stating that the proposed regulation on EU passports
would breach the right to private life protected by European Community
law. Other critiques include unknown costs of the measures that would
implement the biometric scheme, and the secrecy and lack of public
oversight of the work of the committee working on its details.
The fingerprint biometric for all citizens and residents is
unprecedented. While the the Council of the European Union is calling
for the use of two biometrics, the United States and the International
Civil Aviation Organization only require one, and the U.S. government
does not plan to implement fingerprints in its citizens' passports.
Moreover, the Council appears to have deliberately acted in the last
few months in a way that has precluded meaningful participation of the
European Parliament in the "consultation" procedure used to adopt
Council regulations, despite Parliament members' critiques aimed at
limiting the scope of the draft regulation and securing oversight.
Privacy International:
http://www.privacyinternational.org
Privacy International, Statewatch and EDRI open letter:
http://www.epic.org/redirect/pi_fingerprint.html
Council draft regulation on biometric passports:
http://www.statewatch.org/news/2004/nov/biometric-proposal.pdf
General information on biometric passports is available in Privacy and
Human Rights 2004:
http://www.epic.org/bookstore/phr2004
======================================================================
[6] News in Brief
======================================================================
FTC FAILS TO ENFORCE CHILDREN'S PRIVACY LAW AGAINST AMAZON.COM
Federal Trade Commission staff have determined that Amazon.com's "Toy
Store" web site is "not directed at children" for purposes of the
Children's Online Privacy Protection Act (COPPA). The agency also
found that Amazon did not knowingly collect personal information from
children through its web site. COPPA requires child-oriented web
sites to provide extra protections for personal information submitted
by children.
The FTC staff letter comes in response to an April 2003 complaint from
EPIC and other privacy groups arguing that the subject matter of the
site, the use of child models, and other factors made the site
directed at children (see EPIC Alert 10.08). Several children had
also registered on the site and in some cases, posted full names and
postal addresses. In its letter, the FTC relied heavily on a single
sentence in Amazon's privacy policy that stated that the company only
sells products to adults.
FTC letter:
http://www.epic.org/privacy/amazon/ftc_amazon.pdf
EPIC complaint:
http://www.epic.org/privacy/amazon/coppacomplaint.html
For more information about children's privacy, see the EPIC Children's
Online Privacy Protection Act Page:
http://www.epic.org/privacy/kids
GOVERNMENT UNIONS PROTEST HOMELAND SECURITY SECRECY AGREEMENTS
The National Treasury Employees Union and the American Federation of
Government Employees have urged the Department of Homeland Security to
stop requiring its 180,000 employees to sign nondisclosure agreements
that keep them from providing, among other things, "sensitive but
unclassified information" to the public. In a letter to the Secretary
Tom Ridge, the unions said that they will challenge the
constitutionality of the secrecy agreements if the agency continues to
use them.
Agency employees who violate the nondisclosure agreements risk being
fined, losing their jobs, and even prison time. One provision says
that signers consent to government inspections "at any time or place"
to ensure that they are complying with the agreement.
Letter from National Treasury Employees Union and the American
Federation of Government Employees to Tom Ridge:
http://www.epic.org/redirect/nteu.html
The nondisclosure agreement:
http://www.epic.org/privacy/homeland/dhs_nda.pdf
WASHINGTON METRO INTRODUCES ACCESS TO RECORDS POLICY
Directors of the Washington Metropolitan Area Transit Authority have
proposed a formal policy that would govern how Metro handles requests
for records and provide greater protection to electronic fare card
data. Though Metro is apparently not covered by Maryland, Virginia,
DC, or federal freedom of information laws, the proposed policy would
allow individuals who are denied requests for information to sue Metro
in court. The policy would also permit Metro to release SmarTrip card
data only when ordered to do so by a court, for law enforcement
purposes, or when the card holder gives written consent.
Metro encourages the public to comment on the proposed policy, which
will be posted on Metro's web site by December 17. Comments may also
be mailed to the Office of General Counsel, WMATA, 600 Fifth St. NW,
Washington, D.C. 20001 or submitted electronically.
For more information about the policy, see Metro's web site:
http://www.wmata.com/about/met_news/story.cfm?ID=95
Email comments on the proposal to:
comments at wmata.com
======================================================================
[7] EPIC Bookstore: The Digital Person
======================================================================
Daniel J. Solove, The Digital Person (New York University Press 2004).
http://www.powells.com/cgi-bin/biblio?inkey=2-0814798462-1
"Seven days a week, twenty-four hours a day, electronic databases are
compiling information about you. As you surf the Internet, an
unprecedented amount of your personal information is being recorded
and preserved forever in the digital minds of computers. For each
individual, these databases create a profile of activities, interests,
and preferences used to investigate backgrounds, check credit, market
products, and make a wide variety of decisions affecting our lives.
"The creation and implementation of these databases -- which Daniel J.
Solove calls 'digital dossiers' -- has thus far gone largely
unchecked. In this startling account of new technologies for gathering
and using personal data, Solove explains why these digital dossiers
pose a grave threat to our privacy. For example, they increase our
vulnerability to identity theft, a serious crime that has been
escalating at an alarming rate. Moreover, since September 11, the
government has been tapping into vast stores of information collected
by businesses and using it to profile people for criminal or terrorist
activity.
"The Digital Person not only explores these problems, but provides a
compelling account of how we can respond to them. Using a wide
variety of sources, including history, philosophy, and literature,
Solove puts forth a new understanding of what privacy is, one that is
appropriate for the new challenges of the Information Age. Solove
recommends how the law can be reformed to simultaneously project our
privacy and allow us to enjoy the benefits of our increasingly digital
world."
================================
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004
This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act. The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years. For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.
================================
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.
================================
"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
================================
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
================================
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce. The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
================================
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/bookstore/crypto00&
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
================================
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC Bookstore
http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
http://www.powells.com/features/epic/epic.html
======================================================================
[8] Upcoming Conferences and Events
======================================================================
Meeting of the Information Security and Privacy Advisory Board.
Department of Commerce. December 14-15, 2004. Washington, DC. For
more information: http://csrc.nist.gov/ispab.
3rd Annual Digital Rights Management Conference 2005. Ministry of
Science and Research of the State Northrhine Westfalia, Germany.
January 13-24, 2005. Berlin, Germany. For more information:
http://www.digital-rights-management.org/start.php.
12th Annual Network and Distributed System Security Symposium. The
Internet Society. February 3-4, 2005. San Diego, CA. For more
information: http://www.isoc.org/isoc/conferences/ndss/05/index.shtml.
14th Annual RSA Conference. RSA Security. February 14-18, 2005. San
Francisco, CA. For more information:
http://2005.rsaconference.com/us/general/default.aspx.
The World Summit on the Information Society PrepCom 2. February
17-25, 2005. Geneva, Switzerland. For more information:
http://www.itu.int/wsis/preparatory2/hammamet/index.html.
3rd International Conference of Information Commissioners. Federal
Institute of Access to Information. February 20-23, 2005. Cancun,
Mexico. For more information:
http://www.icic-cancun.org.mx/index.php?lang=eng.
The Concealed I: Anonymity, Identity, and the Prospect of Privacy. On
the Identity Trail and the Law and Technology Program at the
University of Ottawa. March 4-5, 2005. Ottawa, Canada. For more
information: http://www.anonequity.org/concealedI.
O'Reilly Emerging Technology Conference. March 14-17, 2005. San
Diego, CA. For more Information:
http://conferences.oreillynet.com/etech.
7th International General Online Research Conference. German
Society for Online Research. March 22-23, 2005. Zurich, Switzerland.
For more information: http://www.gor.de.
5th Annual Future of Music Policy Summit. Future of Music
Coalition. April 10-11, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm.
CFP2005: Fifteenth Annual Conference on Computers, Freedom and
Privacy. April 12-15, 2005. Seattle, WA. For more information:
http://www.cfp2005.org.
2005 IEEE Symposium on Security and Privacy. IEEE Computer Society
Technical Committee on Security and Privacy in cooperation with The
International Association for Cryptologic Research. May 8-11, 2005.
Berkeley, CA. For more information:
http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html.
SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information Processing
Systems with the support of Information Processing Society of Japan.
May 30-June 1, 2005. Chiba, Japan. For more information:
http://www.sec2005.org.
3rd International Human.Society@Internet Conference. July 27-29,
2005. Tokyo, Japan. For more information: http://hsi.itrc.net.
The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:
http://www.itu.int/wsis.
======================================================================
Subscription Information
======================================================================
Subscribe/unsubscribe via web interface:
https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news
Back issues are available at:
http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
======================================================================
Privacy Policy
======================================================================
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."
======================================================================
About EPIC
======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research. For more information, see
http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite
200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248
(fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible. Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:
http://www.epic.org/donate
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
---------------------- END EPIC Alert 11.23 ----------------------
.