============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.01 January 14, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.01.html ======================================================================= Table of Contents ======================================================================= [1] State DMVs Developing National ID System [2] EPIC Urges Qwest to Drop Marketing Plan [3] Court Upholds FBI Use of Secret "Key Logger" Technology [4] Companies Stop Privacy-Invasive Practices [5] Student Privacy Protections Enacted [6] Digital Rights Management Discussed at Future of Music Conference [7] EPIC Bookstore - A National ID Card: A License to Live [8] Upcoming Conferences and Events ======================================================================= [1] State DMVs Developing National ID System ======================================================================= A Task Force of the American Association of Motor Vehicle Administrators (AAMVA) announced plans today to increase uniformity of state driver's licenses and information sharing between states and law enforcement agencies. The AAMVA proposal combines several initiatives, each with very different privacy implications, and asks for $100 million in federal funding to determine what technology should be used and to expand information sharing capacity. Efforts to enhance document security and prevent forgery, such as improved holograms and printing techniques, are a positive application of technology to the driver's license regime. The AAMVA also advocates stricter enforcement and tougher penalties for fraud and abuse of driver's licenses occurring inside and outside of DMVs. Standardization of driver's license security features and issuance standards across the 50 states, as well as information sharing with federal agencies and state law enforcement, would make the driver's license a de facto national identity card. The AAMVA has not disclosed how the detailed personal information required to obtain a license, including residency and immigration status and social security information, will be collected, used and shared under the new program. The AAMVA has also proposed making the driver's license a unique identifier. While they have not yet determined what technology will be implemented, they plan to use biometric or other identifiers to positively ensure that license applicants are who they say they are, and that no person holds more than one license. This proposal presents the most significant privacy and security risks, which are detailed in EPIC's ID Card and Biometrics pages referenced below. The possible creation of national identification cards through driver's licenses deserves careful examination and open public discussion. EPIC is in the process of drafting a memo discussing the risks and policy implications of national identification schemes, to be prepared in time for the AAMVA's leadership summit, where the heads of the state DMVs will discuss the task force's recommendations. AAMVA's website (including an archived webcast of the January 14th press conference): http://www.aamva.org/ EPIC's ID Card Page: http://www.epic.org/privacy/id_cards/ EPIC's Biometrics Page: http://www.epic.org/privacy/biometrics/ ======================================================================= [2] EPIC Urges Qwest to Drop Marketing Plan ======================================================================= Last week, millions of Qwest customers across the country received opt-out notices in their monthly billing statements. The notices, which were contained within a pamphlet that said "the following will not affect your billing," provided that Qwest could use customer calling data -- information such as services subscribed to and call logs -- unless customers opted-out of this plan by calling a toll-free number within 30 days. Customers attempting to call the toll-free number to opt-out have reported numerous difficulties, including long waits and disconnects. The information that Qwest is planning on using is known as customer proprietary network information, and is protected from use absent "customer approval" by the 1996 Communications Act. The FCC promulgated a rule in 1998 that required telecommunication carriers to obtain explicit customer approval (opt-in) before using such information in any manner inconsistent with provision of services. The FCC explicitly rejected an opt-out approach as insufficiently protective of customer privacy. However, in 1999 the US Court of Appeals for the 10th Circuit ruled that the opt-in approach did not pass First Amendment scrutiny because the decision to require "opt-in" was not adequately considered or supported by existing facts. In response to this 1999 court decision, the FCC in October 2001 issued a request for public comments, seeking advice on, among other things, whether an opt-in approach inherently violates the First Amendment. EPIC and consumer groups filed comments and reply comments urging the FCC to implement an opt-in approach. Similar comments were filed by 39 Attorneys General. In a letter sent to Qwest President Afshin Mohebbi on January 7, EPIC urged Qwest to suspend their marketing plan. Although the initial comment period closed in November, the FCC has announced -- in the wake of Qwest’s implementation of their marketing plan -- that they will continue to accept comments from anyone wishing to express their opinion in this ongoing debate. Consumers wishing to do so can comment by e-mail: <fccinfo@fcc.gov> or by regular mail: FCC, 445 12th St. S.W., Washington, D.C. 20554, attn: Consumer Information Bureau. Reference Docket No. 96-115. EPIC's comments are available at: http://www.epic.org/privacy/cpni/CPNI_CMN.pdf EPIC’s reply comments are available at: http://www.epic.org/privacy/cpni/CPNI_Reply_Comments.html Attorneys General comments are available at: http://www.naag.org/features/cpni_comments.cfm EPIC’s letter to Qwest President Afshin Mohebbi: http://www.epic.org/privacy/cpni/qwest_let_jan2002.html ======================================================================= [3] Court Upholds FBI Use of Secret "Key Logger" Technology ======================================================================= In a decision issued on December 26, a federal judge in New Jersey upheld the legality of the FBI's use of a "key logger system" secretly installed on a suspect's computer to capture his encryption passphrase and denied a defense motion to suppress evidence obtained through the technique. U.S. District Judge Nicholas Politan also allowed prosecutors to keep secret the specifics of the technology, saying disclosure "would cause identifiable damage to the national security of the United States." The government had earlier invoked the Classified Information Procedures Act (CIPA) to conceal details of the surveillance system (see EPIC Alert 8.16). The gambling and loansharking case aginst defendant Nicodemo Scarfo, Jr. has become the first to test the legality of law enforcement efforts to counter the use of encryption. The events of September 11 seem to have had an influence in the case; Judge Politan wrote in the first paragraph of his opinion that "the matter takes on added importance in light of recent events and potential national security implications." Prosecutors and FBI officials met privately with the judge on Sept. 28 to present "top-secret, classified evidence" about the system and its use in national security investigations. Scarfo's lawyers had argued that the "key-logger system" violated both the Fourth Amendment (by collecting more information than needed) and the federal wiretap statute (by intercepting modem transmissions without a wiretap order). They asserted that they needed, through pre-trial discovery, a detailed explanation of the technology to determine whether its use was improper. Politan ruled that an unclassified "summary" report on the system's capabilities provided the defense with an adequate description. The case will proceed to trial sometime in 2002; if convicted, Scarfo could raise the discovery and suppression issues on appeal. The court's opinion is available at: http://lawlibrary.rutgers.edu/fed/html/scarfo2.html-1.html Other selected court documents on the Scarfo case are available at: http://www.epic.org/crypto/scarfo.html ======================================================================= [4] Companies Stop Privacy-Invasive Practices ======================================================================= This month, two large companies revealed that they were putting an end to practices with major privacy implications, thereby sending an important message to other industry groups that violation of consumer privacy is not a profitable or useful enterprise. First, as initially reported by CNET, DoubleClick has decided to discontinue its profiling services. Effective December 31, 2001, the company no longer offers the targeted marketing that was once central to its business plan. Relying on techniques such as cookies and web-bugs to track users on the Internet, over the years DoubleClick built up profiles on millions of individuals' surfing habits, preferences, and past purchases. As a result, it earned considerable notoriety as one of the worst invaders of personal privacy on the Internet. In February 2000, following complaints from EPIC and others, the Federal Trade Commission launched a formal investigation of the company when it was reveale d that it planned to link personally identifiable information to these formerly anonymous Internet profiles. That investigation was officially closed in January 2001, consequent to DoubleClick's commitment to abide by self-regulatory guidelines for online profiling (see EPIC Alert 8.02). Second, Dollar Rent-a-Car has ended its practice of requiring customers to be fingerprinted before renting a vehicle, because the effort failed to meet its goal of reducing theft and fraud. Mr. Jim Senese, Vice President of Quality Assurance at Dollar, is reported by the Washington Post as saying that although there was some reduction in car theft over the course of the program, any savings that were made did not compensate for the number of customers who were "irritated" by having to give thumbprints to the company. In a related development on fingerprinting, a federal judge ruled last week that the technology used to "match" fingerprints does not meet standards set by the Supreme Court for scientific evidence. Judge Louis Pollak of the U.S. District Court found that expert witnesses cannot rely on fingerprint analysis, which compares near perfect prints taken at the police station to partial smudges or latent prints from a crime scene, to conclusively determine that the latent print is that of the accused person. In what has been described as a "blockbuster opinion," Judge Pollak's ruling casts doubt upon the increased use of fingerprints as unique identifiers by private and public organizations, and may affect the evaluation of other forensic techniques such as handwriting and hair analysis. Background information on DoubleClick: http://www.epic.org/doubletrouble/ CNET article on DoubleClick, January 8, 2002: http://news.cnet.com/news/0-1005-200-8407125.html Washington Post article on Dollar Rent-a-Car, January 9, 2002: http://www.washingtonpost.com/wp-dyn/articles/A22350-2002Jan9.html New York Times article on Justice Pollak's decision, January 11, 2002: http://www.nytimes.com/2002/01/11/national/11PRIN.html ======================================================================= [5] Student Privacy Protections Enacted ======================================================================= In December, Congress passed limited privacy protections for students. The protections were passed because a number of companies collect personal information from children while they are at school for marketing purposes. Much of this profiling is conducted under the pretense of college admissions or job recruitment purposes, and parents are often not notified of the privacy policies associated with the information collection. Companies such as American Student List sell the survey data in profiles that include children's names, contact information, sex, age, whether they own a telephone, income, religion, and their race or ethnicity. The protections, included in H.R. 1, the "No Child Left Behind Act of 2001," were primarily supported by Sen. Christopher Dodd (D-CT) and Sen. Richard Shelby (R-AL). The original Dodd-Shelby proposal included notice and opt-in protections for all commercial collection of data from schoolchildren. However, compromise language was adopted after a lobbying push by the student profiling industry. The new protections grant parents the right to inspect all surveys administered at school that were written by third parties. Local education agencies, which are defined as schools, school districts, or boards of education, must give notice of "arrangements to protect student privacy" and allow the parent to opt a child out of participation where the survey instrument contains questions seeking political affiliations, mental or psychological information, sexual behavior, criminal behavior, income, or religious belief. Parents may also opt children out of surveys that collect personal information for marketing purposes. These new protections contain significant loopholes. The opt-out for marketing does not apply where the information collection is for magazine subscriptions or for "student recognition programs." However, magazine marketing is a significant purpose of student profiling. In addition, some student recognition programs have a significant marketing component. H.R. 1, The No Child Left Behind Act of 2001 (see section 1061): http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.00001: EPIC's Profiling Page: http://www.epic.org/privacy/profiling/ ======================================================================= [6] Digital Rights Management Discussed at Future of Music Conference ======================================================================= The Future of Music Coalition (FMC) held its second annual policy summit on January 7-8, 2002, in Washington, D.C. Many topics were discussed that relate to issues of music and technology policy, copyright law, and other areas of interest to musicians, the media, policymakers, and the public. The emphasis of the conference was on finding ways to protect the interests of artists and copyright holders, as well as the music-loving public, in a constantly changing technological environment. There was also much talk of Digital Rights Management (DRM) and its efficacy as an anti-piracy technique. Notably, in a keynote speech, Rep. Rick Boucher (D-VA) said that he will take steps to nurture the broad availability of music on the Internet, and that he intends to introduce a bill that would eliminate the anti- circumvention clause of the DMCA (section 1201). Panelist bios, transcripts, and more post-conference information is currently available at the Future of Music Coalition website. Links to FMC conference materials and press coverage: http://www.futureofmusic.org/events/summit0102/ EPIC's new Digital Rights Management Page: http://www.epic.org/privacy/drm/ ======================================================================= [7] EPIC Bookstore - A National ID Card: A License to Live ======================================================================= A National ID Card: A License to Live, by Robert Ellis Smith http://www.infopost.com/ItemDescription.asp?navtyp=SRH&ItemI=80143 Just in time to illuminate a new national debate, A National ID Card: A License to Live brings together the provocative writings of Robert Ellis Smith, publisher of Privacy Journal newsletter, on the serious consequences of adopting a mandatory universal identity document. This book includes a bibliography on the subject, a list of other nations and their ID practices, a history of IDs and Social Security Numbers in the U.S., and a frank discussion of airport security that distinguishes the window-dressing from the workable solutions. This book is also available from Privacy Journal at: http://www.privacyjournal.net/ ================================ EPIC Publications: "Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= ** POSTPONED! ** First Privacy Expo 2001. Privacy & American Business and Privacy Council. Was November 27-29, 2001; will be rescheduled for February or March 2002. Washington, DC. For more information: info@pandab.org ** POSTPONED! ** Eighth Annual National "Managing the NEW Privacy Revolution" Conference. Privacy & American Business and Privacy Council. Was November 28-29, 2001; will be rescheduled for February or March 2002. Washington, DC. For more information: info@pandab.org Chief Privacy Officer Skills Development Workshop. PRIVA-C and Select Knowledge. January 14-16, 2002 and February 18-20, 2002. Dallas, TX. For more information: http://www.priva-c.com/cpoworkshop/ Closing 'Windows' on Antitrust or Opening a New Era of Intervention?: Competition Policy after the Microsoft Settlement. CATO Institute. January 16, 2002. Washington, DC. For more information: http://www.cato.org/events/020116pf.html Debating Privacy and ICT: Before and After September 11th. Rathenau Instituut. January 17, 2002. Amsterdam, The Netherlands. For more information: http://www.privacyconference.nl/ Eye in the Sky and Everywhere Else: Do Biometric Technologies Violate Our Rights? CATO Insitute. January 24, 2002. Washington, DC. For more information: http://www.cato.org/events/020124pf.html National Conference on Organized Resistance. American University Animal Rights Effort. January 25-27, 2002. Washington, DC. For more information: http://www.organizedresistance.org/ The Biometric Consortium Conference. February 13-15, 2002 (rescheduled from September 12-14, 2001). Arlington, VA. For more information: http://www.nist.gov/bcfeb02/ CLA 6th Annual Cyberspace Camp Conference. Computer Law Association. February 14-16. San Jose, CA. For more information: http://www.cla.org/cal_camp.htm Moving to the Forefront of Privacy Management for Bank & Financial Services Executives. World Research Group. February 26-28, 2002. New Orleans, LA. For more information: http://www.worldrg.com/ 2nd Annual BNA Summit: Combatting Cyber Attacks on your Corporate Data. Bureau of National Affairs. February 27-28, 2002. Washington, DC. For more information: http://cybersecurity.pf.com International Symposium on Freedom of Information and Privacy. Office of the New Zealand Privacy Commissioner. March 28, 2002. Auckland, New Zealand. For more information: Blair.Stewart@privacy.org.nz Workshop on Privacy Enhancing Technologies. April 14-15, 2002. San Francisco, CA. For more information: http://www.pet2002.org/ CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy. April 16-19, 2002. San Francisco, CA. For more information: http://www.cfp2002.org/ 2002 IEEE Symposium on Security and Privacy. IEEE and the International Association for Cryptologic Research. May 12-15, 2002. Oakland, CA. For more information: http://www.ieee-security.org/TC/SP02/sp02index.html INET 2002. Internet Society. June 18-21, 2002. Washington, DC. For more information: http://www.isoc.org/inet2002/ ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.01 ----------------------- .