EPIC logo

                          E P I C  A l e r t
Volume 11.24                                         December 23, 2004

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


Table of Contents

[1] EPIC Hosts Privacy and Public Voice Conference in Africa
[2] Intelligence Reform Law Creates New Standards for ID Documents
[3] EPIC Seeks Investigation of ChoicePoint, Data Brokers
[4] Coalition Objects to Selective Service, University Data Matching
[5] EPIC FOIA Request Shows Postal Machines Take and Store Photos
[6] News in Brief
[7] EPIC Bookstore: 9/11 and Terrorist Travel
[8] Upcoming Conferences and Events


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

                        EPIC NEEDS YOUR SUPPORT!

EPIC works to protect privacy, freedom of expression, democratic
values, and to promote the Public Voice in decisions concerning the
future of the Internet.  We rely on support from foundations and
individual donors to maintain our programs.

         Please make a tax-deductible donation to EPIC today.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

[1] EPIC Hosts Privacy and Public Voice Conference in Africa

On December 6 EPIC held the Africa Electronic Privacy and Public Voice
Symposium in Cape Town, South Africa, which took place in conjunction
with the first meeting of the Internet Corporation for Assigned Names
and Numbers (ICANN).  The symposium featured panel discussions on data
protection and freedom of expression in Africa, Internet policy in
Africa, and African perspectives on global Internet governance.

Participants discussed the role of privacy as a foreign concept to
most Africans, both in terms of their culture of community openness
and as a concern of only the elite.  Panelists believed privacy is an
important issue for Africa, which traditionally has not emphasized
other individual values such as freedom of expression.  All panelists
felt this needs to change quickly, and there is broad-based support
for considering privacy issues in the contexts of information
technology and in the World Summit on the Information Society.

Elizabeth Bakibinga, Senior Legislative Council to the Parliament of
Uganda, explored the legal basis of the right to privacy in Uganda.
She described a multi-part approach to privacy protection and set
forward a model for privacy legislation in Africa.  She also explained
that in Africa the community comes first, but that privacy will be an
important concern as the information technology revolution advances.
"One can have privacy and still be part of the community," she

Joi Ito, the newest member of the ICANN board, provided a comparative
approach to privacy with the example of Japan.  He said that privacy
protection is critical in Japan, though it is a traditional society
similar to Africa, to help sustain democracy.  However, there are
serious challenges after 9/11.  Information communication technology
"now hides government activity but exposes individuals. This needs to
be reversed," he said.  He called on participants to educate
government officials about these issues.  He asserted, "if you lose
your privacy, you lose your democracy."

The Association for Progressive Communications demonstrated the new
Africa ICT Monitor, a tool that will allow the public to post
information communication technology-related issues and legislation.
He demonstrated the site for participants and showed it as one tool to
build a movement to protect privacy.  Nnenna Nwakanma, a member of the
African Civil Society for the Information Society, spoke about the
role of African civil society and emphasized that "action takes place
at the grassroots level."  She outlined several goals, including
technical support, partnerships, information, content, and training.
Participants also discussed participation in regional and global
Internet governance and urged that governance is best when it's
closest to the people.

EPIC Executive Director Marc Rotenberg concluded the conference by
comparing the challenge of  privacy protection in the information
society to the challenge of environmental protection in the industrial
society.   As symposium participants described, privacy is a
significant but futuristic and elite issue in Africa that requires
immediate attention, advocacy, and publicity in the region as the
information age progresses.

EPIC is very grateful to the Open Society Institute, the Ford
Foundation, Afilias and in particular the Public Interest Registry
(.org) for their generous support and assistance in the planning and
implementation of the symposium.

The next Public Voice event will be held in conjunction with the
upcoming ICANN meeting in Mar de Plata, Argentina in April 2005.

Africa Electronic Privacy and Public Voice Symposium:


APC Africa ICT Policy Monitor:


[2] Intelligence Reform Law Creates New Standards for ID Documents

On December 17 President Bush signed into law the National
Intelligence Reform Act of 2004.  Among other things, the legislation
will require standardization of birth certificates and driver's
licenses for acceptance by federal agencies.

The law states that the Secretary of Health and Human Services will
establish minimum standards for birth certificates for use by federal
agencies for official purposes, which may include the use of birth
certificates to establish identity for those applying for visas and
registering for social security benefits, Medicaid or Medicare
coverage, and Federal Emergency Management Agency assistance.  The
Secretary is directed to establish requirements for proof and
verification of identity as a condition of issuing a birth

The law also requires the Secretary of Transportation to consult with
the Secretary of Homeland Security to establish standards for driver's
licenses and state identification documents that can be accepted by
federal agencies.  The licenses and documents must include full legal
name, date of birth, gender, drivers license or personal
identification card number, a digital photograph, residential address,
and signature.

The law also establishes standards for common machine-readable
identity information to be included on each driver's license or
personal identification card, including defined minimum data elements
which have yet to be outlined.  Identification security standards are
required to ensure that driver's licenses and personal identification
cards are resistant to tampering, alteration, or counterfeiting.  The
cards must be capable of accommodating and ensuring the security of a
digital photograph or other unique identifier.  A state may confiscate
a driver's license or personal identification card if any component or
security feature of the document is compromised.

The law notes the need to protect the privacy of individuals who apply
for and hold driver's licenses and personal identification cards, but
does not charge an authority with the responsibility of safeguarding
the privacy of applicants.

In two years, no federal agency will accept a driver's license or
personal identification card issued by a state unless the document
conforms to the federally established minimum standards.

National Intelligence Reform Act of 2004:


For more information about national identification, see EPIC's
National ID Page:


For more information about driver privacy, see EPIC's Driver Records


For more information about the 9/11 Commission's recommendations, see
EPIC's 9-11 Commission Report Page


[3] EPIC Seeks Investigation of ChoicePoint, Data Brokers

In a letter to the Federal Trade Commission, EPIC urged the agency to
investigate the compilation and sale of personal dossiers by data
brokers such as ChoicePoint.  EPIC argued that the dossiers may
constitute "consumer reports" for purposes of the Fair Credit
Reporting Act, thus subjecting both the information seller and the
buyer to regulation under the Act.  Furthermore, EPIC argued that it
is incumbent upon the Commission to analyze whether the sale of these
dossiers circumvents the Act, giving businesses, private
investigators, and law enforcement access to data that previously had
been subjected to Fair Information Practices.

ChoicePoint, a major information aggregator, is selling dossiers that
are used by law enforcement, government, and the private sector to
make important decisions about people.  Some dossier products, such as
the company's AutoTrackXP report, are sold without complying with the
substantive and procedural protections in the Fair Credit Reporting
Act, a 1970 law that broadly regulates the compilation, use, and
dissemination of "consumer reports."

AutoTrackXP reports contain Social Security Numbers; driver license
numbers; address history; phone numbers; property ownership and
transfer records; vehicle, boat, and plane registrations; Uniform
Commercial Code filings; financial information such as bankruptcies,
liens, and judgments; professional licenses; business affiliations;
"other people who have used the same address of the subject,"
"possible licensed drivers at the subject's address," and information
about the data subject's relatives and neighbors.  They are similar in
scope and in use to standard credit reports normally protected by the
Act.  By selling them without the Act's protections, ChoicePoint is
subverting the policy goals of federal information privacy law.

EPIC argued that companies like ChoicePoint are returning people to a
pre-Fair Credit Reporting Act era, one marked by "unaccountable data
companies that reported inaccurate, falsified, and irrelevant
information on Americans, sometimes deliberately to drive up the
prices of insurance or credit.  For instance, erroneous ChoicePoint
data sold without the FCRA's protections were relied upon in Florida
to cleanse voting registration rolls of felons prior to the 2000
election, resulting in the disenfranchisement of thousands of eligible

EPIC's letter on ChoicePoint:


For more information about Choicepoint, see EPIC's ChoicePoint Page:


For more information about the Fair Credit Reporting Act, see EPIC's
Fair Credit Reporting Act Page:


[4] Coalition Objects to Selective Service, University Data Matching

Privacy Journal, Consumer Action, Privacy Rights Now Coalition,
Privacy Rights Clearinghouse, American Association of University
Professors, and the World Privacy Forum joined EPIC is opposing a new
data matching agreement between the Selective Service System and the
Department of Education.

Under the matching agreement, the Selective Service proposed to
automatically match its registration records with a database of
federal loan recipients held by the Department of Education.  The
purpose of the data match is to determine whether college and
university students who receive federal student loans have registered
for the draft.

The groups wrote that the data matching program raises significant
privacy risks, as an unverified computer match may disrupt the
academic progress of a student.  Furthermore, the matching program
suffered from a number of procedural shortcomings, and it is not in
compliance with the privacy and security safeguards specified by the
Computer Matching Amendments to the Privacy Act of 1974.  The groups
requested that the data matching system be suspended unless it can be
brought into full compliance with the Computer Matching and Privacy

Coalition letter to the Selective Service System on data matching:


For more information about education record privacy, see EPIC's
Student Privacy Page:


[5] EPIC FOIA Request Shows Postal Machines Take and Store Photos

EPIC has obtained documents under the Freedom of Information Act
showing that the Postal Service's new self-service postage machines
take and retain portrait-style photographs of customers.

The Automated Postal Center kiosks allow people to mail letters or
packages, buy stamps, and look up information.  One document obtained
by EPIC states that "[i]n order to augment security, a digital
photograph will be necessary for some transactions."  Another document
reads, "[c]amera required by FAA. Privacy Office is requiring a notice
for customers, advising that photograph may be taken during the

According to the documents, the Automated Postal Center system
"retains transaction data, application logs, user photographs, and
alerts for a relatively short period of time."  Photos of customers
and machine servicers are retained for 30 days on a Windows XP

The system also retains credit card data, though it is unclear how
long such information is stored.  One document states, "[n]o revenue
transactions shall be permitted to complete in the event the analysis
of the photograph determines the photograph to be compromised."

The documents are available at:


For more information about postal privacy, see EPIC's Postal Service
Privacy Page:


[6] News in Brief


Senator Bill Nelson (D-FL) has called upon the Federal Trade
Commission to abandon a proposed loophole to the telemarketing
Do-Not-Call Registry.  The loophole would allow companies to send
recorded messages to persons with whom they have done business.  In a
letter to the Commission, Nelson warned that the loophole threatens to
erode consumer privacy and flood homes with unwanted messages.  The
public is urged to comment on prerecorded telemarketing by January 10,

Senator Nelson's letter opposing the loophole to the Do-Not-Call


Instructions on how to comment can be found on EPIC's Telemarketing



For the second time in three months, EPIC has asked a federal court
for an emergency court order to force the FBI to turn over information
about the Terrorist Screening Database and how it will be used in
Secure Flight.  In October, EPIC sued the agency when it refused to
recognize that EPIC was entitled to a quick release of the documents.
The FBI backed down and the case was dismissed, but the agency has not
given EPIC the information.

EPIC's motion for preliminary injunction:



Under amendments to the Fair Credit Reporting Act, the three
nationwide credit reporting agencies are required to operate a web
site to provide a free credit report once a year.  However, shortly
after the site went live on December 1, EPIC and other groups
discovered that the credit reporting agencies were blocking hyperlinks
to the site, citing security concerns.  EPIC and five privacy and
consumer groups called upon the Federal Trade Commission to halt the

The coalition letter argues that blocking links violates federal
regulations, and that, "[w]hether intentional or not, every subtle and
not so subtle web design tactic has been employed to make
www.annualcreditreport.com difficult to find and use."  Blocking the
links makes it difficult for search engines to locate the free site,
and keyword searches currently rank for-fee sites above the free one.
The free site also lacks HTML "meta" tags that are normally included
to describe a web site's content.  Finally, the free site does not
comply with Section 508, making it unusable by people with
disabilities or people using text-only browsers.

Until the Commission takes action, EPIC has posted a webpage that
circumvents the blocking.

Coalition letter on blocking links to the free credit report site:


Redirect to free credit report site:



Congress has passed the Intellectual Property Protection and Courts
Amendments Act of 2004, which includes the Fraudulent Online Identity
Sanctions Act.  The new law criminalizes any inaccurate information
provided to a domain name registry if the web site is found to
infringe on a copyright. The Act amends the law to impose stiff
criminal penalties upon those who have provided "materially false
contact information to a domain name registrar, domain name registry,
or other domain name registration authority." The Act will increase
prison sentences by up to seven years in criminal cases where someone
convicted of a felony "knowingly registered" a domain name and
knowingly used that domain in the offense.  The issue at hand is the
accuracy of information in the WHOIS database, a public directory of
domain registrant data available and searchable online.  Currently,
registrants must enter information as personal as name, address,
telephone number, and email address in addition to all of the
technical contact information, all of which can then be found on the
public WHOIS database.

Intellectual Property Protection and Courts Amendments Act of 2004:


For more information about the WHOIS database, see EPIC's WHOIS page:



  An unsigned report published by the Board of Governors of the Federal
  Reserve System argues that prescreened offers of credit should not be
  further restricted by privacy laws.  Prescreened offers are
  invitations to credit cards and insurance products that are targeted
  to persons with specific credit histories.  It is estimated that 5
  billion offers are mailed every year.  Current privacy law allows
  consumer to opt out of prescreened offers by calling 1-888-5OPTOUT.

  The report is highly biased in favor of the credit card industry. For
  instance, the Federal Reserve obtained statistics from the credit
  industry that helped the agency conclude that no new privacy
  protections should be in place.  At the same time, the Federal
  Reserve apparently did not seek out or acquire data that the credit
  industry maintains demonstrating the fraud and identity theft that
  results from prescreened offers.

  Nevertheless, the report has interesting statistics on credit card
  marketing and opting out:  53% of new credit accounts are established
  through prescreened direct mail offers, 17% are acquired
  non-prescreened mail offers, and 8% come from prescreened
  telemarketing offers.  6% of consumers with credit reports have opted
  out of prescreened offers, and more would do so, if they knew of the
  opt out system. People with high credit limits, many credit cards,
  and high credit scores are more likely to opt out than others.  More
  than 99% of prescreened offers end up in the trash.

  Federal Reserve report on prescreened offers of credit:


For more information about privacy of credit information, see EPIC's
Fair Credit Reporting Act Page:


[7] EPIC Bookstore: 9/11 and Terrorist Travel

National Commission on Terrorist Attacks, 9/11 and Terrorist Travel: A
Staff Report of the National Commission on Terrorist Attacks Upon the
United States (Providence Publishing Corporation 2004).


"Before 19 hijackers could commit the terrorist attacks of September
11, 2001, they passed through U.S. border security 68 times.  In all,
they had 25 contacts with consular officers and 43 contacts with
immigration and customs authorities -- none of whom suspected they
were al Qaeda operatives.

"In the words of the 9/11 Commission's Executive Director, this staff
report "offered substantial information or analysis not well
represented in the Commission's report."  Now for the first time in
book form, 9/11 and Terrorist Travel also includes full color digital
images of the travel documents used by the 9/11 hijackers.

"The National Commission on Terrorist Attacks Upon the United States
was established by law in November 2002. Congress and President George
W. Bush gave this independent, bipartisan Commission the mandate to
study, evaluate, and report on "immigration, nonimmigrant visas and
border security" as these areas relate to 9/11.

"This report includes the complete 9/11 and Terrorist Travel monograph
produced by the staff, including:

      * A chronology of the 9/11 terrorist travel operation and the
      hijackers' contacts with U.S. border officials;

      * Color reproductions of travel and identification documents used
      by the hijackers;

      * Detailed descriptions of Al Qaeda travel tactics;

      * Counterterrorism policies of the border security community
      prior to 9/11;

      * Complete, highly descriptive endnotes; and

      * Comprehensive appendices which include a detailed account of
      the Saudi flights, including the Bin Ladin flight, out of the
      U.S. after 9/11."


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

       EPIC Bookstore

       "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

3rd Annual Digital Rights Management Conference 2005.  Ministry of
Science and Research of the State Northrhine Westfalia, Germany.
January 13-24, 2005.  Berlin, Germany.  For more information:

12th Annual Network and Distributed System Security Symposium. The
Internet Society.  February 3-4, 2005.  San Diego, CA.  For more
information: http://www.isoc.org/isoc/conferences/ndss/05/index.shtml.

14th Annual RSA Conference.  RSA Security.  February 14-18, 2005.  San
Francisco, CA.  For more information:

The World Summit on the Information Society PrepCom 2.  February
17-25, 2005.  Geneva, Switzerland.  For more information:

3rd International Conference of Information Commissioners. 
Institute of Access to Information. February 20-23, 2005. Cancun,
Mexico. For more information:
http://www.icic-cancun.org.mx/index.php?lang=eng. The Concealed I: Anonymity, Identity, and the Prospect of Privacy. On the Identity Trail and the Law and Technology Program at the University of Ottawa. March 4-5, 2005. Ottawa, Canada. For more information: http://www.anonequity.org/concealedI. O'Reilly Emerging Technology Conference. March 14-17, 2005. San Diego, CA. For more Information: http://conferences.oreillynet.com/etech. 7th International General Online Research Conference. German Society for Online Research. March 22-23, 2005. Zurich, Switzerland. For more information: http://www.gor.de. The 2005 Nonprofit Technology Conference. Nonprofit Technology Enterprise Network. March 23-25, 2005. Chicago, IL. For more information: http://www.nten.org/ntc. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. April 4-8, 2005. Mar del Plata, Argentina. For more information: http://www.icann.org. 5th Annual Future of Music Policy Summit. Future of Music Coalition. April 10-11, 2005. Washington DC. For more information: http://www.futureofmusic.org/events/summit05/index.cfm. CFP2005: Fifteenth Annual Conference on Computers, Freedom and Privacy. April 12-15, 2005. Seattle, WA. For more information: http://www.cfp2005.org. 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research. May 8-11, 2005. Berkeley, CA. For more information: http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html. SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 11.24 ---------------------- .