EPIC logo

                            E P I C  A l e r t
Volume 10.16                                             August 6, 2003

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] TSA Issues CAPPS II Notice; Expands System
[2] Data Privacy Bill Introduced; Admiral Poindexter To Resign
[3] Bill Introduced to Reverse PATRIOT Act Provisions
[4] GAO Privacy Act Report Indicates Need for Better Compliance
[5] Researchers Find Flaws in Electronic Voting
[6] News in Brief
[7] EPIC Bookstore: Secure Coding: Principles & Practices
[8] Upcoming Conferences

[1] TSA Issues CAPPS II Notice; Expands System

The Transportation Security Administration (TSA) has released a
supplementary Privacy Act notice outlining its plans to administer the
Enhanced Computer Assisted Passenger Profiling System (CAPPS II).  The
agency claims that CAPPS II will enhance transportation security by
relying upon private-sector database companies to identify passengers,
and a set of secret procedures to perform a risk assessment on
travelers.  Passengers will be assigned a risk score by CAPPS that
could subject them to heightened security screening or detention.

The notice is more specific about the TSA's planned collection, use,
and storage of personal information than an earlier release in January
2003, but fundamental privacy problems with CAPPS remain.  The system
establishes a government checkpoint on almost all commercial aviation
that could be extended to other forms of transportation, or even to
security at government buildings.

In a significant expansion of the program, TSA announced that CAPPS II
will not only scan for suspected terrorists, but also for those wanted
for violent crimes.

The notice announces TSA's plans to allow a "passenger advocate" to
provide access to information in CAPPS, along with an appeals process
to address errors.  However, the notice exempts CAPPS II from a number
of Privacy Act requirements, including duties to grant access to
personal information, duties to make an accounting of disclosures of
personal information, provisions that limit the scope of information
that can be maintained by the agency, and accountability provisions
that apply criminal penalties for misuse of personal information.

Any member of the public can comment on the CAPPS II notice until
September 30, 2003.

The TSA CAPPS II Notice is available at:


More information about CAPPS II and air travel privacy is available at
EPIC's Air Travel Privacy Page:


[2] Data Privacy Bill Introduced; Admiral Poindexter To Resign

Senator Ron Wyden (D-OR) has introduced S. 1484, the Citizens'
Protection in Federal Databases Act.  The bill would require the
Departments of Justice, Defense, Homeland Security, Treasury, Central
Intelligence Agency, and the Federal Bureau of Investigation to submit
a report to Congress on use of private-sector databases, or lose
funding for purchasing personal information from companies such as
ChoicePoint and Lexis-Nexis.

The report must give a detailed description of the contracts that the
agencies have with private sector profilers.  The report will also
cover how the agencies access personal information, how data mining is
being employed, the type of data purchased, the purposes for which the
information is used, whether there are security or audit mechanisms in
place, and data retention practices.

The bill prohibits using data mining without some suspicion of
criminal wrongdoing.  That provision was included to prohibit the use
of so called "red teams" that would invent hypothetical scenarios for
possible terrorists attacks and then search databases to detect traces
of their fabricated plans.

In a separate development, Admiral John Poindexter, chief of the
Defense Advanced Research Projects Agency's Information Awareness
Office, will resign.  Controversy surrounded Poindexter's appointment
to the office, where he spearheaded research projects that had highly
invasive applications, such as Total Information Awareness (TIA) and
Human ID at a Distance.  Poindexter was well known in the computer
security community for his involvement in National Security Decision
Directive Number 145, a 1984 policy that would have given the National
Security Agency control over security for all government computer
systems containing "sensitive but unclassified" information. This was
followed by a second directive that extended military authority over
all computer and communications security for the federal government
and private industry.

The text of the Citizens' Protection in Federal Databases Act is
available at:


Information about how private sector profilers use public records
information is available at EPIC's Public Records Page:


FBI Documents Detailing Use of Private Sector Databases are available


The text of NSDD 145 is available at:


Information about Total Information Awareness is available at
EPIC's Total Information Awareness Page:


[3] Bill Introduced to Reverse PATRIOT Act Provisions

Senator Lisa Murkowski (R-AK) has introduced a bill meant to address
risks to civil liberties posed by the USA PATRIOT Act.  The Protecting
the Rights of Individuals Act (PRIA), cosponsored by Senator Ron Wyden
(D-OR), is intended to curtail considerable law enforcement search and
seizure powers now permitted under the USA PATRIOT Act.

If enacted, the PRIA would require law enforcement agencies to obtain
court orders to conduct electronic surveillance, and would heighten
judicial oversight of law enforcement monitoring of certain telephone
and Internet communications.  Law enforcement officials could delay
notification of an issued warrant or court order only when immediate
notification might jeopardize an investigation or threaten the
physical safety of an individual.  Law enforcement agencies attempting
to place roving wiretaps on telephones would have to demostrate to a
judge that a crime has been, or will be, committed. The PRIA would
also limit the Federal Bureau of Investigations's ability to access
such personal information as an individual's medical, library, and
Internet records without demonstrating probable cause that the
individual is an agent of a foreign power.

In addition, the PRIA would forbid data-mining without explicit
authorization from Congress, and would require the Office of the
Attorney General to publish annual reports disclosing certain aspects
of its search activities under the USA PATRIOT Act.  Further, the bill
would restrict law enforcement requests to libraries to turn over
information regarding Internet use by library patrons to the
investigation standards provided in the Foreign Intelligence
Surveillance Act (FISA).

In related news, the American Civil Liberties Union (ACLU) recently
filed the first legal challenge to the USA PATRIOT Act.  In MCA, et
al. v. Ashcroft and Mueller, the ACLU alleges that the broad scope of
FBI search power authorized by the USA PATRIOT Act violates the First,
Fouth, and Fifth Amendments of the Constitution.

The text of the Protecting the Rights of Individuals Act is available


Information about the USA PATRIOT Act is available at EPIC's USA


Additional information about USA PATRIOT Act developments is available


Information about the Foreign Intelligence Surveillance Act (FISA) is
available at EPIC's FISA Page:


The ACLU's Complaint in MCA, et al. v. Ashcroft and Mueller is
available at:


[4] GAO Privacy Act Report Indicates Need for Better Compliance

On July 30, the General Accounting Office (GAO) released a report
finding that compliance with the Privacy Act by government agencies is
inconsistent and, as a result, individuals cannot be assured that
their privacy rights are being protected.  The report, "Privacy Act:
OMB Leadership Needed to Improve Agency Compliance," was initiated at
the request of Sen. Joseph Lieberman (D-CT), Ranking Minority Member
of the Senate Committee on Governmental Affairs.

The Privacy Act requires that a governmental agency observe certain
procedures when it is collecting personal information that is
retrieved by a personal identifier.  These procedures call for the
agency to collect only necessary information, provide public notice
when creating or altering record-keeping systems, and safeguard the

The GAO, studying a cross section of 25 agencies and systems ranging
from files of five persons to 290 million persons, found that
respondents' compliance with the Privacy Act ranged from 70 percent to
100 percent.  The GAO estimates that for 10 percent of the systems
kept, agencies allow individuals to access personal information over
the Internet.  Privacy officers at the subject agencies explained the
need for more oversight and guidance by the Office of Management and
Budget (OMB) in order to increase compliance. As a result, GAO's
overarching recommendation was for increased OMB oversight.  The OMB,
charged with setting forth guidelines and regulations for agency
implementation of the Privacy Act, disagreed with the report's
conclusion and recommendations, finding the statements "reckless and
irresponsible" based on the compliance data.

While the GAO was careful to conclude that the lack of compliance does
not mean that the government will not protect individuals' privacy
rights, it did make clear that, under these circumstances, privacy
protection cannot be assured.

The GAO report, "Privacy Act: OMB Leadership Needed to Improve Agency
Compliance," is available at:


The text of the Privacy Act is available at:


[5] Researchers Find Flaws in Electronic Voting

A recent study conducted by computer science researchers at Johns
Hopkins University has found that electronic voting systems contain
"significant security flaws" that may subject election results to
fraud by both voters and those involved in election administration.

The researchers conducted the study using source code found on the
Internet that is believed to be the proprietary code of the
AccuVote-TS touch-screen voting system produced by Diebold Election

The study found that the voting machines' use of "smartcards" renders
the system vulnerable to tampering by voters as well as "insiders such
as poll workers, software developers and even janitors," all of whom
could cast multiple votes due to the voting system's failure to
provide a means to track such misconduct.  The report was also
critical of the system's failure to provide a paper "audit trail" that
can be reviewed by voters for accuracy.  The researchers conclude that
"there appears to have little quality control in the [software
development] process."

The researchers' report urges openness in the software development
process to facilitate the creation of better quality electronic voting
software.  Alternatively, the researchers recommend that electronic
voting systems include a voter-verifiable paper audit trail to ensure
accuracy in the voting process.

Diebold voting machines have already been used in elections in
Maryland, Georgia, California, and Kansas, among other locations.
Maryland election officials recently ordered $55.6 million worth of
touch-screen voting equipment from Diebold in preparation for the
implementation of electronic voting throughout the state.

The Johns Hopkins researchers' report "Analysis of an Electronic
Voting System" is available at:


More information about electronic voting is available at:


To sign a petition urging voter-verifiable ballot trails, see:


[6] News in Brief

CA Fed. Court Rules that FCRA Preempts Local Privacy Law

In a serious setback to privacy rights, a federal district court in
the Northern District of California has ruled that the Fair Credit
Reporting Act preempts city ordinances that established certain
heightened privacy protections.  The ordinances, enacted in several
California cities and counties, required financial institutions to
obtain opt-in consent before sharing personal information amongst
affiliated and non-affiliated entities.  The ordinances were intended
to supplement the federal Gramm-Leach-Bliley Act (GLBA), which sets
weak, opt-out standards for information sharing among non-affiliates,
and does not allow any choice in regards to affiliate sharing.  The
court invalidated opt-in requirements for affiliate sharing, but
upheld an opt-in standard for non-affiliate information sharing.  The
court's decision is likely to be appealed, as Congress clearly
intended to allow states to regulate information sharing in passing
the GLBA.

The opinion in Bank of America v. Daly City, Nos. 02-4343 & 02-4943
(N.D. Cal. July 29, 2003) is available at:


Homeless Tracking System Announced

The Department of Housing and Urban Development announced its
guidelines for "Homeless Management Information Systems" (HMIS).  HMIS
is a standard system for tracking homeless persons and the services
rendered to them.  Entities that provide services would collect their
names, Social Security Numbers, dates of birth, race, gender, health
status (including HIV, pregnancy, and domestic violence), veteran
status, and income information.

Although the plan does not call for a national, centralized database,
the information collected could easily facilitate the creation of a
national database in the future.  Furthermore, law enforcement, Secret
Service, and National Security access to the database would be nearly
unlimited.  The guidelines are open to public comment until September
22, 2003.

HUD Homeless Management Information Systems webpage:


Colleges Seek to Quash P2P Subpoenas Under FERPA

Boston College and the Massachusetts Institute of Technology are
relying upon the Federal Educational Rights and Privacy Act (FERPA) to
invalidate subpoenas directed to the institutions that seek the
identity of students using peer-to-peer file sharing systems.  The
Recording Industry Association of America issued the subpoenas in an
attempt to bring suit against students operating popular file sharing
systems on the campuses.  The subpoenas, issued under the Digital
Millennium Copyright Act (DMCA) present a serious risk to privacy as
they allow a copyright holder to determine the identity of an Internet
user without meaningful due process.

The EPIC Letter on P2P Monitoring in Higher Education is available at:


More information about education privacy is available at EPIC's FERPA


[7] EPIC Bookstore: Secure Coding: Principles & Practices

Mark G. Graff and Kenneth R. van Wyk, Secure Coding: Principles &
Practices (O'Reilly 2003).


Attacks on computer systems and networks occur today at an alarming
rate.  Worms, malevolent mail, and distributed denial of service
attacks undermine systems around the globe--from banks to major
e-commerce sites to critical infrastructure computers.  Despite their
many manifestations and targets, nearly all attacks have one
fundamental cause: the code underlying these computers and networks is
not secure.

Finally, a book takes aim at the fundamental problem challenging the
very future of the Internet.  Packed with expert advice based on the
authors' decades of experience, Secure Coding sheds light on the
economic, psychological, and practical reasons why security
vulnerabilities are so ubiquitous today.  Much more than a technical
tome, this concise and engaging book is a call to arms, a challenge to
all of us to finally make a commitment to building secure code.  The
future of technology may very well depend on our heeding the call.


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.  http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/bookstore/crypto00&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Chaos Communication Camp 2003: The International Hacker Open Air
Gathering.  Chaos Computer Club.  August 7-10, 2003. Paulshof,
Altlandsberg, Germany.  For more information: http://www.ccc.de/camp/

1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunk
and Science Fiction.  August 11-13, 2003.  Prague, Czech Republic.
For more information:

NSF Cyber Trust Point Meeting.  Johns Hopkins University Information
Security Institute.  AUGUST 13-15, 2003.  Baltimore, Maryland.  For
more information:  http://www.jhuisi.jhu.edu/institute/cybertrust.html

Voting Machines: A Threat To Democracy?  The Ethical Society.
September 7, 2003.  Philadelphia, Pennsylvania.  For more information:

Surveillance and Privacy 2003:  Terrorists and Watchdogs.  Baker &
McKenzie Cyberspace Law and Policy Centre and Univeristy of New South
Wales Law Faculty.  September 8-9, 2003.  Sydney, Australia.  For more
information:  http://www.bakercyberlawcentre.org/2003/Privacy_Conf/

25th International Conference of Data Protection and Privacy
Commissioners.  September 10-12, 2003.  Sydney, Australia.  For more
information:  http://www.privacyconference2003.org/

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and the
Department of Information Systems and Technology, University of
Durban-Westville.  September 10-12, 2003.  Durban, South Africa.  For
more information:  http://www.udw.ac.za/www2003/

Making Intelligence Accountable,  September 19-20, 2003.  Oslo, Norway.
The Geneva Centre for the Democratic Control of Armed Forces.  For
more information:

Privacy2003.  Technology Policy Group.  September 30-October 2, 2003.
Columbus, OH.  For more information:

Getting the Technology You Deserve:  Community Participation in
Regional Cable Franchise Policy.  Computer Professionals for Social
Responsibility.  October 25, 2003.  Seattle, Washington.  For more
information: http://www.cpsr.org/conferences/annmtg03/

ICANN Meeting.  Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003.  Carthage, Tunisia.  For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:


Subscribe/unsubscribe via e-mail:

      To: epic_news-request@mailman.epic.org
      Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

      To: epic_news-request@mailman.epic.org
      Subject: "help" (no quotes)

Problems or questions? e-mail < info@epic.org >

Back issues are available at: http://www.epic.org/alert/

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140
(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 10.16 ----------------------