EPIC logo

                            E P I C  A l e r t
Volume 10.19                                          September 18, 2003

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Lawsuit Compels Release of Passenger Profiling Info 
[2] U.S. and EU Debate Handling of Passenger Data 
[3] EPIC Files FTC Complaint Over Experian’s Deceptive Ads 
[4] White House Pushes to Expand Patriot Act 
[5] EPIC Joins Coalition to Urge Protection of Health Info 
[6] News in Brief 
[7] EPIC Bookstore: Pole Star - Human Rights in the Information Society 
[8] Upcoming Conferences and Events

[1] EPIC Lawsuit Compels Release of CAPPS II Passenger Profiling Info

Just a day after EPIC asked a federal court to issue an emergency
court order requiring the Transportation Security Administration (TSA)
to release information concerning the Computer Assisted Passenger
Prescreening System (CAPPS II), the agency agreed to process the
documents for potential release.  In a submission filed with the
court, the TSA stated that it will complete processing the material by
September 25, five days before public comments are due on the TSA's
proposed Privacy Act notice for the controversial air passenger
profiling system.

The agreement requires the TSA to disclose "Capital Asset Plan and
Business Case" (Exhibit 300) materials on CAPPS II that the agency has
prepared for the Office of Management and Budget (OMB), and any
privacy impact assessments the TSA has conducted on CAPPS II.  OMB
requires agencies seeking funding for projects to submit an Exhibit
300, which requires, among other things, an evaluation of privacy and
security risks that a project might pose.  Furthermore, the
E-Government Act of 2002 requires agencies to prepare a privacy impact
assessment before developing or procuring information technology that
collects, maintains or disseminates identifiable information.

These documents potentially include crucial information on the privacy
implications of CAPPS II.  While the TSA has repeatedly assured the
public that the profiling system will respect the privacy rights of
air passengers, it has not disclosed any internal documents assessing
the potential privacy or civil liberties impact of the program.  In
March, EPIC requested from the TSA any privacy assessments of CAPPS
II, as well as information from the Department of Defense (DOD)
concerning Pentagon involvement in the screening system.  Neither
agency processed the requests within the time frame set out by the
Freedom of Information Act, despite their agreement to "expedite" the
process.  In response, EPIC filed an earlier lawsuit in June against
the TSA and DOD, which is still pending in federal court.

EPIC's request for an emergency court order is available at:


TSA's formal agreement to release the documents is available at:


The TSA CAPPS II Notice is available at:


More information about CAPPS II is available at EPIC's Air Travel
Privacy Page:


[2] U.S. and EU Debate Handling of Passenger Data

The United States is working diligently to convince the European Union
to participate in the proposed Computer Assisted Passenger Profiling
System (CAPPS II), the airline passenger security system created to
prevent suspected terrorists from boarding airplanes.  If the EU does
choose to participate in the system as proposed, all travelers
entering or flying through the U.S. will be required to provide their
name, address, birth date, and home telephone number when purchasing a
plane ticket.  Each passenger's information would then be shared with
the US government and then checked against various private databases,
terrorist watch lists, and felony warrant lists.  Passengers would be
assigned a color code to inform screeners whether to allow them to
board the flight, or question, detain or arrest them.

Since March 5, 2003, the EU has cautiously allowed the U.S. access to
the Passenger Name Records (PNRs) of its citizens.  But the CAPPS II
program will not be accepted so simply by the European Commission,
which has rejected the demands of the currently proposed program and
insisted on "adequate protection."  Despite its initial concession of
PNR data, the EU continues to press for a framework that is legally
secure.  Frits Bolkestein, the EU Commissioner in charge of customs
issues, has written a letter to U.S. authorities demanding
improvements and warning of a confrontation.  He noted some
improvements from the original CAPPS II proposal, but stands steadfast
on the charge that there are too many other privacy threats that lie
unprotected by this system. Bolkestein is scheduled to discuss the
issue further with representatives of the US Department of Homeland
Security on September 22.

Other countries around the world may side with the EU in their
demands.  A resolution was passed at the International Conference of
Data Protection and Privacy Commissioners last week in Sydney, calling
for "an international agreement stipulating adequate data protection
requirements, including clear purpose limitation, adequate and
non-excessive data collection, limited data retention time,
information provision to data subjects, the assurance of data subject
rights and independent supervision."

The U.S. faced another setback in its plans for monitoring foreign air
travel recently.  The government announced it is postponing new
passport rules requiring citizens of 27 countries that have never
before been required visas to now obtain new scan-friendly passports.
Despite the problems, the US continues its work to implement the CAPPS
II system.  JetBlue Airlines is reported to have agreed to share its
passenger data in an effort to test the program, even after the
original test airline, Delta, cancelled its agreement due to public
boycott pressure.

View the text of Bolkestein's speech at:


View the text of the Data Commissioners Resolution at:


View EPIC's passenger data page:


Read the New York Times article on the new passport requirements:


[3] EPIC Files FTC Complaint Over Experian’s Deceptive Ads

This week EPIC filed a complaint with Federal Trade Commission (FTC)
concerning the marketing practices of Experian, one of the three major
credit reporting agencies.  The September 16 complaint alleges that
Experian engages in deceptive marketing practices, a violation of 15
U.S.C. Section 45(a)(1), by advertising “free” credit reports to
consumers that come with hidden obligations.

According to the complaint, Experian broadly disseminates offers for
"free" credit reports over television and the Internet, but the offers
are tied to hidden obligations which are not prominently disclosed.
Experian only provides a "free" credit report by permitting consumers
to access an expensive credit monitoring service that they are
automatically charged for if they do not notify the company within 30
days.  The complaint states that not only is Experian's advertising
misleading, but it also plays on fears of inaccuracy in credit reports
in order to drive up sales of the company's products - inaccuracy for
which the company itself may be responsible.

The FTC requires that products advertised as “free” must not have
hidden strings attached.  Any company advertising products as “free”
must disclose to potential consumers any conditions or obligations up
front.  While Experian does refer to the service in small print on its
Web site above the button to accept the offer, EPIC points out that
the notice is not prominent nor disclosed on the television
advertisement, as required by the FTC.

EPIC urges the FTC to act immediately to investigate and stop
Experian’s deceptive advertising practices.  Furthermore, EPIC asks
the FTC to require all credit reporting agencies — not just Experian —
to provide credit monitoring services to consumers without charge in
order to assure the maximum possible accuracy in credit reports,
assurance that credit reporting agencies are required to provide under
the Fair Credit Reporting Act, 15 U.S.C. Section 1681(e)(b).

EPIC’s complaint is available at:


Experian offer is available at:


[4] White House Pushes to Expand Patriot Act

Using the second anniversary of the 9/11 attacks to broach new policy,
the President pressed for greater Patriot Act law enforcement powers
in a speech at the FBI Academy on September 10.  The President's
proposed changes would allow federal law enforcement agencies to issue
subpoenas, thus bypassing judicial oversight altogether.  He also
pushed to extend the death penalty to terrorism-related crimes, and
permit judges to deny bail to those arrested and held as terrorist
suspects.  All three measures were represented in early drafts of the
Patriot Act, but struck before the law's passage.

Coinciding with White House's speech were the introduction of three
bills in Congress that would carry out its proposals.  H.R. 3037 would
allow the Attorney General to issue subpoenas in terrorism
investigations without court approval, and place a gag order on
recipients of such subpoenas if the Attorney General deems that a
danger to national security could result from disclosure.  H.R. 3040
would permit a judge to detain a terrorism suspect without bail before
trial, and would broaden the scope of individuals subject to lifetime
supervision after release from prison for terrorism-related acts.  S.
1604 would allow imposition of the death penalty for terrorist crimes
that result in death, as well as deny federal benefits to convicted

The White House's push for greater Patriot Act powers follows in the
wake of allegations that law enforcement agencies increasingly use
Patriot Act tools to capture and punish run-of-the-mill criminals
rather than terrorists.  The Justice Department concedes that it has
applied its expanded powers to smugglers, defrauders, bookies, con
artists, and drug dealers.

The text of H.R. 3037, Antiterrorism Tools Enhancement Act of 2003, is
available at:


The text of H.R. 3040, Pretrial Detention and Lifetime Supervision of
Terrorists Act of 2003, is available at:


The text of S. 1604, Terrorist Penalties Enhancement Act of 2003, is
available at:


More information about the Patriot Act is available at EPIC's Patriot
Act Page:


[5] EPIC Joins Coalition to Urge Protection of Health Info

EPIC, the Health Privacy Project and 28 other health care advocacy,
labor, consumer, disability rights, and health care provider groups
sent a letter to Health and Human Services Secretary Tommy Thompson
urging him to affirm that protected health information sent through
the banking network must be accessible only to providers and health
plans for whom it is intended.  Financial institutions have expressed
interest in data mining electronic transactions that flow through the
banking system in order to gain information for use in marketing and
credit risk evaluation.  Once banks gain this information through data
mining, they can use and share it without limitation.

The transaction at issue is the Electronic Remittance Advice (ERA).
The ERA standard adopted by the Department of Health and Human
Services permits electronic funds transfer instructions and the ERA to
be sent within a single transaction.  Instructions for electronic
funds transfer contain no protected health information, but the ERA
does. The Preamble to the Privacy Rule makes it clear that the
receiving bank is the intended recipient of the electronic funds
transfer instructions and a provider or health plan is the intended
recipient of the ERA.  The Preamble further states that the protected
health information in the ERA is not necessary for the performance of
the funds transfer function by banks and that covered entities may not
disclose protected health information to banks for this purpose.

The banking industry has been asking the Office for Civil Rights to
revise or retract this earlier guidance, claiming that the ERA is part
of the payment function performed by banks.  Organizations that signed
the letter to Secretary Thompson relied on the Preamble and
legislative history to urge the Department to affirm the position it
took in the Preamble to the Privacy Rule.

View the letter sent by the coalition:


View EPIC's Medical Privacy Page:


[6] News in Brief


Eleanor Hill, the Staff Director for the Joint Inquiry Committee of
the Senate and House that investigated the failings of U.S.
intelligence to foresee the September 11 terrorist attack, testified
before the House Select Homeland Security Committee on September 10,
2003.  Hill told the committee that one of the main reasons why the
U.S. Intelligence Community failed to see what Al Qaeda was planning
was not a lack of intelligence but the failure by the intelligence and
law enforcement agencies to piece together what was already available,
including "public documentation and open source information."  Hill
also told the committee that too much information about the threat of
Al Qaeda was withheld from the American public before 9/11 and pointed
out that a well-informed public can actually help in the war against
terrorism.  Hill recommended that classification procedures be
overhauled to ensure that as much real-time information can be made to
the public, as well as to law enforcement and state and local

Read Eleanor Hill's Statement:


View the 9-11 Joint Inquiry Report:



The number of Freedom of Information Act and Privacy Act requests to
federal government agencies reached a record high in 2002, according
to a new report from the Justice Department Office of Information and
Privacy.  The total number of requests increased by seven percent over
the previous year to a new high of 2,402,938.  The Department of
Veterans Affairs received the most requests (1,496,191); something
called the Inter-American Foundation received the least (one).
Agencies invoked 142 different nondisclosure statutes to withhold
information under FOIA exemption.  Personal privacy was the most
frequently cited single exemption.

View the Justice Department's Report:



The U.S. General Accounting Office released five reports on various
aspects of domestic security last week.  The reports cover the
subjects of smart cards, biometrics, maritime security, ID fraud, and
transportation security.

To learn more about the reports:

Electronic Government: Challenges to the Adoption of Smart Card
Technology, by Joel Willemssen, managing director, information
technology, before the Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census, House Committee on
Government Reform.  GAO-03-1108T, September 9.


Information Security: Challenges in Using Biometrics, by Keith A.
Rhodes, chief technologist, before the Subcommittee on Technology,
Information Policy, Intergovernmental Relations, and the Census, House
Committee on Government Reform. GAO-03-1137T, September 9.


Maritime Security: Progress Made in Implementing Maritime
Transportation Security Act, but Concerns Remain, by Margaret T.
Wrightson, director, homeland security and justice, before the Senate
Committee on Commerce, Science, and Transportation. GAO-03-1155T,
September 9.


Security: Counterfeit Identification and Identification Fraud Raise
Security Concerns, by Robert J. Cramer, managing director, Office of
Special Investigations, before the Senate Committee on Finance.
GAO-03-1147T, September 9.


Transportation Security: Federal Action Needed to Enhance Security
Efforts, by Peter Guerrero, director, physical infrastructure, before
the Senate Committee on Commerce, Science, and Transportation.
GAO-03-1154T, September 9.



The EPIC Alert is now being featured as a resource with the Privacy &
FOI Project, a division of the World Legal Information Institute that
aims to make searchable from one location all of the databases
specializing in Privacy and FOI law and make them available through
any of the Legal Information Institutes across the globe.  Other sites
included in the project are databases of cases from the Canadian
Privacy Commissioner, Federal Privacy Commissioner of Australia, and
New Zealand Privacy Commissioner, and the Privacy Law & Policy
Reporter from Australia.

Visit the Privacy & FOI Law Project at:


[7] EPIC Bookstore: Pole Star

Deborah Hurley: Pole Star - Human Rights in the Information Society
(International Centre for Human Rights and Democratic Development,


Deborah Hurley's essay,  Pole Star - Human Rights in the Information
Society, provides an excellent introduction to the relationship
between information technology and human rights.  Written in
preparation for the World Summit on the Information Society set to
convene in Geneva this December, Hurley calls on international leaders
to make human rights a central consideration when forming information
technology policy.  She declares that without a strong foundation in
human rights - what she deems,  “the keystone in the arch of
civilization” - the information society will not be viable.

Pole Star underscores the challenges, as well as opportunities, at
hand to ingrain human rights values into developing technology and
standards.  Information technology, Hurley points out, is still
decentralized and largely unregulated and the policy pertaining to it
immature.  There are vast opportunities to impose structure.  Within
the proper framework, she adds, new technologies represent an
invaluable resource to people in developing nations.  Hurley touches
upon several significant policy issues relating to technology and
human rights, including a thoughtful and convincing examination of
privacy rights and their relevance.  She further iterates that, “It is
axiomatic that privacy and security are compatible and can be mutually
reinforcing,” a principle that is important to reinforce.

The essay concludes with a list of six recommendations, foremost among
them that a World Commission on the Information Society should be
formed.  Hurley also calls on the United States to adopt national
privacy legislation based upon the OECD Privacy Guidelines and the
Council of Europe Convention.  While several of the recommendations
are quite broad and somewhat vague, overall they provide a good
objective for nations and leaders to work toward.

--Emily Cadei


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2003: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty-five countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

       EPIC Bookstore

       "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Human Rights Caucus Report Launch. September 19, 2003. Geneva,
Switzerland. For more information:

Making Intelligence Accountable,  September 19-20, 2003.  Oslo,
Norway. The Geneva Centre for the Democratic Control of Armed Forces.
For more information:

Communication, Information and Internet Policy. September 19-21.
Arlington, VA. For more information: http://www.tprc.org

Crime Prevention & Security: Pro-Active. September 24-26. Amsterdam,
Netherlands. For more information:

The State of Accountable Government in a Surveillance Society.  Office
of the Information and Privacy Commissioner for British Columbia.
September 25-26, 2003.  Victoria, British Columbia.  For more
information:  http://www.oipc.bc.ca/anniversary/

Privacy2003.  Technology Policy Group.  September 30-October 2, 2003.
Columbus, Ohio.  For more information:

Localizing the Internet: Ethical Issues in Intercultural Perspective.
International Center for Information Ethics.  October 4-6, 2004.
Karlsruhe, Germany.  For more information:

UbiComp 2003 Privacy Workshop.  October 12, 2003.  Seattle, WA.  For
more information:

Security Laws and Privacy Seminar. Riley Information Service Inc.
October 20, 2003. Ottawa, Canada. For more information:

8th Symposium on Privacy and Security - Identity and Anonymity in an
Increasingly Interconnected World. Swiss Federal Institute of
Technology. October 21-22, 2003. Zurich, Switzerland. For more
information: www.privacy-security.ch

Getting the Technology You Deserve:  Community Participation in
Regional Cable Franchise Policy.  Computer Professionals for Social
Responsibility.  October 25, 2003.  Seattle, Washington.  For more
information: http://www.cpsr.org/conferences/annmtg03/

ICANN Meeting.  Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003.  Carthage, Tunisia.  For more information:

IAPP Privacy and Data Security Academy and Expo. October 29-31, 2003.
Chicago, IL. For more information: http://www.privacyassociation.org

Business for Social Responsibility Annual Conference - Building and
Sustaining Solutions. November 11-14. Los Angeles, CA. For more
information: http://www.bsr.org

RFID Privacy Workshop.  Massachusetts Institute of Technology.
November 15, 2003.  Boston, Massachusetts.  For more information:

American Society of Access Professionals Workshop. November 18-19,
2003. St. Louis, Missouri. For more information:

Media Freedoms and the Arab World.  The Arab Archives Institute.
December 6-8, 2003. Amman, Jordan. For more information: email
[email protected] or see

WHOLES - A Multiple View of Individual Privacy in a Networked World.
Swedish Institute of Computer Science. January 30-31, 2004. Stockholm,
Sweden. For more information: http://www.sics.se/privacy/wholes2004.

Subscription Information

Subscribe/unsubscribe via Web interface:


Subscribe/unsubscribe via e-mail:

      To: [email protected]
      Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

      To: [email protected]
      Subject: "help" (no quotes)

Problems or questions? e-mail < [email protected]>

Back issues are available at: http://www.epic.org/alert/

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact [email protected] if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail [email protected], http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140
(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 10.19 ----------------------