======================================================================== E P I C A l e r t ======================================================================== Volume 12.06 March 24, 2005 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_12.06.html ======================================================================== Table of Contents ========================================================================  EPIC Calls for Regulation of Choicepoint; Coalition Demands Action  Madrid Summit Urges Democratic Response to Threats of Terrorism  Google's Gmail Subject of EPIC West Testimony in California Senate  Transportation Biometric ID Raises Privacy Concerns; Review Urged  EPIC Introduces EPIC FOIA Notes, 2005 FOIA Gallery  News in Brief  EPIC Bookstore: J.J. Luna's "How to Be Invisible"  Upcoming Conferences and Events ========================================================================  EPIC Calls for Regulation of Choicepoint; Coalition Demands Action ======================================================================== EPIC Executive Director Marc Rotenberg urged lawmakers to regulate Choicepoint and other data brokers in testimony last week before a House subcommittee on consumer protection. Mr. Rotenberg testified that there is too much secrecy and too little accountability in the business dealings of data brokers, and the Choicepoint debacle underscores the need for federal regulation of the information broker industry. Choicepoint recently admitted that it had sold personal information on 145,000 people to a criminal ring involved in identity theft. Congressional members questioned Choicepoint about its response to the situation. Rep. Edward J. Markey (D-MA) asked Choicepoint to do more for the 145,000 victims than the data broker has done. Choicepoint has agreed to give the victims a year of free credit monitoring, but Rep. Markey asked Choicepoint CEO Derek Smith to give "a lifetime monitoring service and instant e-mail and postal alerts for each and every consumer has been victimized as a result of Choicepoint's negligence." Rep. Markey also asked Mr. Smith to give each victim "exactly what personal information was compromised and not this vague letter telling them that it could include all of this, but we're not going to give you the exact information." Mr. Smith did not immediately agree to extend the monitoring service for the victims. However, Mr. Smith did agree to give "the specific information that was on that report that could potentially could have been used," to each victim that requested the information from Choicepoint. In December EPIC filed a complaint with the Federal Trade Commission raising questions about Choicepoint and other data brokers' business practices. Rep. Markey asked FTC Chairman Deborah Platt Majoras if the commission began to investigate Choicepoint after receiving EPIC's complaint. Chairman Majoras said that the FTC did not begin its investigation of Choicepoint until later. Rep. Markey expressed disappointment with the FTC's actions. "The point I'm trying to make here is that I think that there was a warning, that there was information at the Federal Trade Commission, that the Federal Trade Commission has to be much more aggressive than it has been in the pursuit of the protection of the privacy of individuals. And this is the perfect example of where the Federal Trade Commission was not as aggressive as the American people would expect you to be," he said. After the House subcommittee hearing, EPIC, Privacy Rights Clearinghouse, PIRG, Privacy Times, and World Privacy Forum wrote to Chairman Majoras, requesting that the agency reevaluate its position concerning Choicepoint and other commercial data brokers. The groups wrote that the FTC testimony at the hearing "was not well informed, and did not adequately reflect the concerns of American consumers about the sale of their sensitive personal information." The letter said that the FTC may be responsible for the growth of the commercial data broker industry. In the 1990s, the FTC defined "credit report" in such a way as to create the "credit header loophole." This loophole allowed many businesses to openly traffic in Social Security Numbers with no restriction at all, fueling the databases of companies like Choicepoint. Also in the 1990s, in response to congressional attention, commercial data brokers developed a weak self-regulatory system, known as the Individual Reference Services Group (IRSG) Principles. The principles allowed commercial data brokers to sell Social Security Numbers and other information to whomever they deemed "qualified." The principles contained no effective right to opt-out, no right to free access, no right of enforcement, and no right to correction. In light of the weak IRSG Principles, however, the FTC did not call for substantive regulation of the industry. EPIC's Testimony before the House Subcommittee on Commerce, Trade, and Consumer Protection (pdf): http://www.epic.org/privacy/choicepoint/testimony3.15.05.pdf Coalition Letter on FTC Choicepoint Testimony (pdf): http://www.epic.org/privacy/choicepoint/majorasltr3.17.05.pdf EPIC's December 2004 Complaint to the FTC: http://www.epic.org/privacy/choicepoint/fcraltr12.16.04.html Request your Choicepoint Background Check and Public Records and report by visiting: http://www.epic.org/redirect/selfcheck.html and: http://www.epic.org/redirect/prsearch.html EPIC's Choicepoint page: http://www.epic.org/privacy/choicepoint/ ========================================================================  Madrid Summit Urges Democratic Response to Threats of Terrorism ======================================================================== World leaders, policy experts, and civil society representatives gathered in Madrid, Spain, to commemorate the victims of the railway train bombing of March 11, 2004 and to consider how democratic governments should best respond to the threat of future acts of terrorism. The International Summit on Democracy, Terrorism, and Security concluded with the release of the Madrid Agenda. The statement is "an agenda for action for Governments, institutions, civil society, the media and individuals," and "[a] global democratic response to the global threat of terrorism." Among other recommendations, the leaders of democratic governments proposed "[t]he creation of a global citizens network, linking the leaders of civil society at the forefront of the fight for democracy from across the world, taking full advantage of web-based technologies and other innovative forms of communication." At the closing plenary session UN Secretary General Kofi Annan urged governments to safeguard human rights and the rule of law. Mr. Annan said that "many measures which States are currently adopting to counter terrorism infringe on human rights and fundamental freedoms." Mr. Annan warned that "compromising human rights cannot serve the struggle against terrorism. On the contrary, it facilitates achievement of the terrorist's objective -— by ceding to him the moral high ground, and provoking tension, hatred and mistrust of government among precisely those parts of the population where he is most likely to find recruits." A special session on "Democracy, Terrorism and the Internet" issued a declaration, "The Infrastructure of Democracy," urging governments to understand that an open Internet, like democratic government, provides the best response to future acts of terrorism. According to the declaration, "The Internet is fundamentally about openness, participation, and freedom of expression for all -- increasing the diversity and reach of information and ideas." The declaration also urged governments to avoid restrictions on anonymity, which "would be highly unlikely to stop determined terrorists, but would have a chilling effect on political activity and thereby reduce freedom and transparency." The Varsavsky Foundation, in collaboration with the Spanish government, helped organize the event and supported civil society participation. International Summit on Democracy, Terrorism, and Security: http://english.safe-democracy.org The Madrid Agenda: http://english.safe-democracy.org/agenda/the-madrid-agenda.html Speech of Kofi Annan: http://www.epic.org/redirect/annanspeech.html The Infrastructure of Democracy: http://www.thepublicvoice.org/news/infra_dem.html The Infrastructure of Democracy (Spanish): http://www.proyectoisla.com/mangasverdes/?p=673 The Varsavsky Foundation: http://english.varsavskyfoundation.org/atocha_workshop The Public Voice: http://www.thepublicvoice.org ========================================================================  Google's Gmail Subject of EPIC West Testimony in California Senate ======================================================================== In testimony to the California Senate Judiciary Committee, EPIC West Director Chris Jay Hoofnagle argued that Google's Gmail service presents significant risks to personal privacy. Gmail is an advertising-supported e-mail system that offers 1 gigabyte of storage. The Gmail system reads the actual content of e-mail and attachments in order to target advertising. While Google calls this process content "scanning," the company's patents use the phrase "content extraction" to describe the Gmail model. Mr. Hoofnagle argued that Gmail users bargain away their own privacy, but in doing so, also give away the privacy of non-subscribers. Those who send e-mail to Gmail users also experience content extraction but never receive notice or consent to the process. Many information collection programs originally performed for commercial purposes are now used for law enforcement or anti-terrorism purposes, Mr. Hoofnagle said. In the 1990s, privacy advocates warned regulators that direct marketers would turn over their information to the government. Now we know that instead of turning it over, major direct marketing companies, including Acxiom and Choicepoint, actively sell personal information to the government. Similar risks exist with Gmail, although Google did not address those risks in its testimony. Instead, the company focused the debate on whether "personally identifiable profiles" are created by content extraction. The company argues that since there is no data retention from content extraction, there is no risk to privacy. However, this argument ignores the risk that the Gmail system could change, either by the company's own initiative, or by court order sought by a law enforcement agency. The ACLU of Northern California, also testifying at the hearing, argued that content extraction may reduce Fourth Amendment expectations of privacy. If a major online e-mail provider such as Google is allowed to monitor private communications, even in an automated way, the expectations of e-mail privacy may be eroded. These effects are long-term and will undoubtedly outlive Gmail. Google defends Gmail by stating that e-mail scanning is no different than virus scanning or spam interdiction. While it is true that there is no technical difference between these functions, there fundamental legal difference. The law has long recognized that communications providers should not peek into the contents of a message unless they have a valid reason relating to the delivery of service. At the hearing, Google did not address the legal difference. EPIC Testimony on Gmail: http://www.epic.org/privacy/gmail/casjud3.15.05.html EPIC Gmail FAQ: http://www.epic.org/privacy/gmail/faq.html ========================================================================  Transportation Biometric ID Raises Privacy Concerns; Review Urged ======================================================================== In comments filed on March 18, EPIC urged the Transportation Security Administration to delay its test of biometric technology for transportation workers until it conducts a comprehensive Privacy Impact Assessment. The assessment should allow the agency "to ensure protection of the privacy rights of program members." EPIC said that the program must comply with the federal Privacy Act and noted that there are unique problems associated with biometric technologies. The comments discussed EPIC's congressional testimony in July 2002, which explained these unique problems. "First, the uniqueness of biometric data is affected by time, variability and data collection. This leads to the second problem: the technologies available are subject to varying degrees of error, which means that there is an element of uncertainty in any match. Third, there are several ways to circumvent a biometrics system," EPIC said in the comments. EPIC also explained that there could be severe consequences for an individual whose biometric identifier has been compromised. "It is possible to replace a credit card or Social Security numbers, but how does one replace a fingerprint, voiceprint, or retina scan?" EPIC asked. EPIC stated that allowing employees access to their records would help ensure the accuracy of the information collected and used. EPIC also urged the agency to incorporate privacy protections into the decision-making process so that the agency could avoid "later having to awkwardly, expensively, and inefficiently" adjust its biometric technology systems. EPIC's March 18 Comments to the Transportation Security Administration: http://www.epic.org/privacy/biometrics/tsa_comments31705.html EPIC's July 2002 Congressional Testimony: http://www.epic.org/privacy/biometrics/testimony_071802.html EPIC's Biometrics page: http://www.epic.org/privacy/biometrics/ ========================================================================  EPIC Introduces EPIC FOIA Notes, 2005 FOIA Gallery ======================================================================== In celebration of Sunshine Week earlier this month, the Electronic Privacy Information Center launched EPIC FOIA Notes, a new online publication that will help bring attention to secrecy in the federal government. EPIC FOIA Notes gives subscribers fast access to important documents obtained by EPIC under the Freedom of Information Act, allowing users of mobile devices to learn quickly about important open government news. The publication also gives readers images of actual documents obtained by EPIC under the FOIA. Links from a short text message go directly to a web page that provides information about the government's latest disclosures, as well as links to other FOIA resources. The first two editions of EPIC FOIA Notes highlighted documents recently obtained by EPIC from the FBI about data broker Choicepoint. The documents were released as two Congressional hearings examined Choicepoint's sale of personal information on 145,000 consumers to criminals posing as legitimate businesses. In honor of Freedom of Information Day on March 16, EPIC also published the 2005 FOIA Gallery. The web page highlights scanned images of EPIC's most compelling FOIA disclosures from the past year. Featured documents include an e-mail EPIC obtained from NASA revealing that Northwest Airlines gave the FBI a year's worth of passenger data after 9/11, as well as documents showing that the Census Bureau gave the Department of Homeland Security census data on Arab Americans. Subscribe to EPIC FOIA Notes (please note that Alert subscribers will not automatically receive the publication): https://mailman.epic.org/cgi-bin/control/foia_notes EPIC FOIA Notes #2: Choicepoint and FBI: http://www.epic.org/foia_notes/note2.html EPIC 2005 FOIA Gallery: http://www.epic.org/open_gov/foiagallery ========================================================================  News in Brief ======================================================================== FTC Makes Recommendations About RFID But Remains Noncommittal The Federal Trade Commission (FTC) released a report outlining the contents of a workshop on radio frequency identification technology (RFID) it held in June 2004. The FTC recommended that companies using RFIDs should ensure that industry initiatives are "transparent," that the notice about the use of technology is "clear conspicuous and accurate," and that consumers are notified if an RFID tag or reader is present and if the technology is being used to collect personally identifiable information. The agency's recommendations seem noncommittal, however, and the agency does not appear to adopt a very proactive role in protecting consumers' interests. The FTC instead relies on the RFID industry to come up with self-imposed guidelines, which usually lack penalties for noncompliance or effective accountability and enforcement mechanisms. Federal Trade Commission's Report, "RFID: Radio Frequency Identification: Applications and Implications for Consumers: A Workshop Report From the Staff of the Federal Trade Commission": http://www.ftc.gov/opa/2005/03/rfidrpt.htm EPIC's RFID page: http://www.epic.org/privacy/rfid/ Full Senate to Consider Faster FOIA Act The Senate Judiciary Committee voted unanimously during Sunshine Week to send the Faster FOIA Act, S. 589, to the full Senate. If passed by Congress, the legislation would impanel a sixteen-member advisory commission to examine how efficiently the Freedom of Information Act functions. The commission would propose ways to decrease delays in the processing of Freedom of Information Act requests, as well as determine whether the system for charging fees and granting fee waivers causes delays in processing. The commission would be required to report to Congress on its findings. The Faster FOIA Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:s.00589: EPIC's Open Government Page: http://www.epic.org/open_gov Treasury Issues New Customer Notification Breach Regulation Under new regulations that take effect immediately, financial institutions must develop response programs for incidents where unauthorized access is gained to personal information. Institutions must assess the incident, give notice to federal regulators whenever "sensitive" personal information is accessed, and take steps to "contain and control" the incident to prevent further unauthorized access. When "the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible." Guidance on Response Programs for Unauthorized Access to Consumer Information (pdf): http://www.occ.treas.gov/consumer/Customernoticeguidance.pdf EPIC and US PIRG Comments on Response Programs: http://www.epic.org/privacy/glba/noticecomments.html Links to Free Credit Report Site Unblocked In a policy shift, the major credit reporting agencies have unblocked Internet links to the free credit report site, annualcreditreport.com. Previously, the companies only accepted links from a few web sites, and prevented news organizations, state attorneys general, and consumer groups from providing web links to the site. In December 2004, EPIC and other groups urged the Federal Trade Commission to order that the links be unblocked. In light of the group letter, Rep. Barney Frank (D-MA) wrote to the credit industry trade group to summarize changes made at the site to make it more consumer friendly. Additionally, a recent report by the World Privacy Forum urges consumers not to use the free site at all, but rather call to get their reports, as the free site engages in unnecessary data collection and presents other risks to privacy. Group Letter to the FTC About the Free Credit Report Site: http://www.epic.org/privacy/fcra/freereportltr.html Letter from Representative Frank Concerning Changes to the Site (pdf): http://www.epic.org/privacy/fcra/markeyltr3.18.05.pdf World Privacy Forum Report, "Call, Don't Click": http://www.worldprivacyforum.org/wpf_calldontclickstudyfull.html Congress's Intervention in Schiavo Case Raises Issue of "Living Wills" On March 21 Congress passed, and President Bush signed, a law that preempted state jurisdiction over the case of Terri Schiavo, a woman who is brain-damaged, and transferred jurisdiction to a U.S. district court for a federal judge to review. Schiavo's husband and her parents have been engaged in a legal battle about whether to permit Schiavo to die or be kept alive by a feeding tube. The controversy highlights the importance of making a "living will" to unambiguously explain what a person would want in such a case. Only an estimated one-fifth of Americans have drawn up a document stating their wishes in the eventuality that they become incapacitated. Further complicating the debate is the fact that state laws on the subject vary. Text of the Terri Schiavo Bill: http://news.findlaw.com/hdocs/docs/schiavo/bill31905.html European Ethics Group Raises Concerns About ICT Implants On March 16 the European Group on Ethics in Science and New Technologies presented an opinion to the European Commission about the ethical aspects of information and communication technologies (ICT) implants in the human body. The opinion dealt with the applications of ICT implants for health and non-medical purposes, and said the latter applications are a potential threat to human dignity and democratic society. Non-medical ICT implant applications are not explicitly covered by existing legislation, and the group recommended that the European Commission launch legislative initiatives in these areas. Opinion of the European Group on Ethics in Science and New Technologies to the European Commission on the Ethical Aspects of ICT Implants in the Human Body (pdf): http://europa.eu.int/comm/european_group_ethics/docs/avis20en.pdf EPIC's VeriChip page: http://www.epic.org/privacy/rfid/verichip.html ========================================================================  EPIC Bookstore: J.J. Luna's "How to Be Invisible" ======================================================================== J.J. Luna, How to Be Invisible: The Essential Guide to Protecting Your Personal Privacy, Your Assets, and Your Life (Thomas Dunne Books 2004) http://powells.com/cgi-bin/biblio?inkey=2-0312319061-1 "From cyberspace to crawl spaces, new innovations in information gathering have left the private life of the average person open to scrutiny, and worse, exploitation. In this thoroughly revised update of his immensely popular guide How to Be Invisible, J.J. Luna shows you how to protect yourself from these information predators by securing your vehicle and real estate ownership, your bank accounts, your business dealings, your computer files, your home address, and more. "J.J. Luna, a highly trained and experienced security consultant, shows you how to achieve the privacy you crave and deserve, whether you just want to shield yourself from casual scrutiny or take your life savings with you and disappearing without a trace. Whatever your needs, Luna reveals the shocking secrets that private detectives and other seekers of personal information use to uncover information and then shows how to make a serious commitment to safeguarding yourself. "There is a prevailing sense in our society that true privacy is a thing of the past. Filled with vivid real life stories drawn from the headlines and from Luna's own consulting experience, How to Be Invisible, Revised Edition is a critical antidote to the privacy concerns that continue only to grow in magnitude as new and more efficient ways of undermining our personal security are made available. Privacy is a commonly-lamented casualty of the Information Age and of the world's changing climate-but that doesn't mean you have to stand for it." ================================ EPIC Publications: "Privacy & Human Rights 2004: An International Survey of Privacy Laws and Developments" (EPIC 2004). Price: $35. http://www.epic.org/bookstore/phr2004 This survey, by EPIC and Privacy International, reviews the state of privacy in more than sixty countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, as well as recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2003: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price: $40. http://www.epic.org/bookstore/pls2003 The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00& EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================  Upcoming Conferences and Events ====================================================================== F2C: Freedom to Connect. March 30-31, 2005. Washington, DC. For more
information: http://freedom-to-connect.net/ The Global Flow of Information Conference 2005. Information Society
Project at Yale Law School. April 1-3, 2005. New Haven, CT. For
http://islandia.law.yale.edu/isp/GlobalFlow/registration.htm. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. April 4-8, 2005. Mar del Plata, Argentina. For more information: http://www.icann.org. VoIP World Africa 2005. April 5-7, 2005. Terrapinn. Johannesburg, South Africa. For more information: http://www.terrapinn.com/2005/voipza/confprog.stm. Private Conduct/Private Places: New Media, Surveillance, Sexuality.
April 8-9, 2005. UC Berkeley. For more information:
http://cnm.berkeley.edu/events_news/index.php RFID Journal LIVE! 2005. April 10-12. Chicago, IL. For more
information: http://www.rfidjournallive.com. CFP2005: Fifteenth Annual Conference on Computers, Freedom and Privacy. April 12-15, 2005. Seattle, WA. For more information: http://www.cfp2005.org. 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research. May 8-11, 2005. Berkeley, CA. For more information: http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html. Sixth Annual Institute on Privacy Law: Data Protection - The Convergence
of Privacy & Security. May 23-24, 2005. Atlanta, Ga. For more
http://www.pli.edu/product/program_detail.asp?ptid=511&stid=3&id= EN00000000019985 SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information: