EPIC logo

                            E P I C  A l e r t
Volume 10.20                                          October 2, 2003

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Urges Halt to CAPPS II Air Passenger Profiling System
[2] JetBlue and Acxiom are Subjects of EPIC Complaint to FTC
[3] Do-Not-Call Registry Hit with Legal Challenges
[4] EPIC Testifies in the House on Cross Border Fraud
[5] Coalition Questions HUD Homeless Surveillance Program
[6] News in Brief
[7] EPIC Bookstore: The Challenge of Crime
[8] Upcoming Conferences and Events

[1] EPIC Urges Halt to CAPPS II Air Passenger Profiling System

Concluding that it is "precisely the sort of system that Congress
sought to prohibit when it enacted the Privacy Act of 1974," EPIC has
called for a halt to the Computer Assisted Passenger Prescreening
System (CAPPS II).  The recommendation was made in response to a
Transportation Security Administration (TSA) notice exempting the
controversial passenger profiling project from key requirements of the
Privacy Act of 1974.  The TSA notice, published in the Federal
Register on August 1, 2003, provided more details on the agency's
plans to collect and use personal information than an earlier notice
published in January 2003, but still failed to address fundamental
privacy questions.  Furthermore, in a significant expansion of the
program's purpose, TSA announced that CAPPS II will not only search
for suspected terrorists, but also for those wanted for violent

The notice also described TSA's plans to establish a "Passenger
Advocate" to provide individuals access to information in the system,
along with an appeals process to address errors.  However, the notice
exempts CAPPS II from numerous Privacy Act provisions, including
judicially enforceable rights to access and correct of personal data;
the duty to make an accounting of disclosures of personal information;
and limitations on the scope of information that can be maintained by
the agency.

EPIC's comments criticized the lack of government transparency in
CAPPS II, noting that TSA has disclosed little information about the
system in response to repeated Freedom of Information Act requests,
and also has failed to prepare a Privacy Impact Assessment of the
system, as required by federal law.  The comments addressed TSA's
failure to provide individuals with meaningful access to personal
information and meaningful opportunities to correct inaccurate,
irrelevant, untimely and incomplete information.  EPIC also noted
CAPPS II's exemption from the requirement that a system maintain only
information that is "relevant and necessary" to perform the system's
function, and asserted that TSA's broadly drawn "routine uses" of
CAPPS II data would only heighten the system's privacy problems.  EPIC
concluded that "[a]cquisition of personal data should not proceed
until TSA has revised its policies and practices to bring them into
conformance with the intent of the Privacy Act."

European Digital Rights (EDRi), an association of 14 European digital
rights and privacy organizations from 11 countries in Europe, also
filed comments with the TSA.  Acting on behalf of European travelers
who will also have their data disclosed to U.S. authorities and
processed by the CAPPS II profiling system, EDRi argued that the
notice seriously violates EU privacy laws and discriminates between
U.S. and non-U.S. citizens as to the retention of their data and their
right of effective redress.  It also urged TSA to have strong privacy
safeguards in place to protect passengers' personal information when
the data is used by U.S. law enforcement and disclosed to private
third parties, in full compliance with EU core data protection

The comment period for the notice ended just days after Congress voted
to discontinue funding for CAPPS II implementation until the General
Accounting Office (GAO) examines the privacy implications of the
system.  The GAO must submit its report no later than February 15,

EPIC's Comments are available at:


EDRi's Comments are available at:


The text of H.R. 2555, which denies funding for CAPPS II
implementation until privacy concerns are addressed, is available at:


More information about CAPPS II and passenger profiling is available
at EPIC's Passenger Profiling Page:


More information about the disclosure of passenger data from the EU to
the US is available at EPIC's Surveillance of European Travelers Page:


[2] JetBlue and Acxiom are Subjects of EPIC Complaint to FTC

On September 22, EPIC filed a complaint with the Federal Trade
Commission (FTC) regarding the information-sharing practices of
JetBlue Airways Corporation and Acxiom Corporation, an information
systems company.  EPIC's complaint alleges that both JetBlue and
Acxiom shared the personal information of about 1.5 million passengers
with an information mining company that contracts with the Department
of Defense, which then published some of the passenger information
that it acquired.

Torch Concepts Inc., the company that obtained the passenger
information, contracts with the Department of Defense to develop
pattern recognition technology.  According to news reports, the
Department of Defense facilitated the release of the information.
JetBlue has stated that the Transportation Security Administration
(TSA) was also involved, a claim that TSA denies.  Once acquired,
Torch Concepts used the information to analyze passenger security

The disclosures were made in increments.  First, JetBlue provided
Torch Concepts with passengers' names, addresses and phone numbers.
Then, Torch Concepts acquired the demographic information of
approximately 40 percent of these passengers from Acxiom.  The
demographic information included Social Security number, date of
birth, gender, income, occupation, number of children, status of
property (owned, rented, etc.), years at residence, adults in
household, and vehicle information.

The complaint notes that by sharing this passenger information, both
JetBlue and Acxiom breached the companies' privacy policies that
specifically promised not to disclose such information without
consumer consent.  This breach of promise, alleges the complaint,
violates Section 5(a) of the Federal Trade Commission Act, which
prohibits deceptive acts or practices that affect commerce.

EPIC asked the FTC to investigate the disclosures made by JetBlue and
Acxiom, enjoin further disclosures without passengers' consent,
require the companies to inform those persons who had their
information disclosed, and assign all penalties that the FTC deems

EPIC's complaint regarding JetBlue and Acxiom is available at:


For more information on passenger profiling:

[3] Do-Not-Call Registry Hit with Legal Challenges

The Do-Not-Call Registry's status is in legal limbo after a
bewildering series of court decisions last week barred the Federal
Trade Commission from enforcing it.  The registry, which was supposed
to take effect October 1, is a joint effort by the FTC and Federal
Communications Commission which allows consumers to register their
phone numbers on a list which telemarketers are banned from calling.
More than 50 million individuals had submitted their numbers by the
time the registry was scheduled to take force.

The Do-Not-Call Registry's first challenge came from the U.S. District
Court of Oklahoma, which issued a decision early last week declaring
that the FTC lacked the authority to enforce the registry.  Congress
responded by quickly passing a bill specifically giving the FTC the
authority to implement the Do-Not-Call rules.  President Bush signed
the bill into law two days later.

However, in a second case challenging the Registry, Judge
Nottingham of the U.S. District Court of Colorado found that the
system violated the First Amendment by discriminating against types
of speech and hence barred the FTC from enforcing the registry, once
again.  Nottingham subsequently denied the FTC's request for an
emergency stay of the decision, and further prohibited the FTC from
sharing its Do-Not-Call database with the FCC.

The FTC has filed an appeal of the U.S. District Court of Colorado's
decision with the 10th Circuit Court of Appeals, and unless the court
takes immediate action, arguments will be heard in the appeal during
the week of January 12, 2004.  In the meantime, the Federal
Communications Commission has announced its intentions to enforce the
Do-Not-Call Registry, though it is currently constrained by the fact
that it is barred from obtaining the FTC's database or other
information necessary for enforcement.  Despite the court decisions,
the Direct Marketing Association has publicly urged its members to
abide by the Do-Not-Call rules, and FCC Chairman Michael K. Powell has
called upon the association to assist his commission in enforcing the

The U.S. District Court of Oklahoma's decision is available at:


The U.S. District Court of Colorado's decision is available at:


The Federal Trade Commission appeal to the 10th Circuit Court of
Appeals is available at:


For more informaton on the Do-Not-Call Registry:


[4] EPIC Testifies in the House on Cross Border Fraud

On September 17, EPIC Executive Director Marc Rotenberg testified
before the House Subcommittee on Commerce, Trade and Consumer
Protection on cross border consumer fraud and the reauthorization of
the Federal Trade Commission (FTC).  The FTC desires a broad extension
of its powers to help combat consumer fraud originating from both
inside and outside U.S. borders.  The proposed House bill, the
International Consumer Protection Act, establishes a legal framework
for the FTC to conclude international agreements and develop closer
co-operation with law enforcement agencies and consumer protection
agencies worldwide.

EPIC testified in support of closer cooperation with foreign law
enforcement agencies in fraud investigations, but offered a number of
recommended revisions to ensure that democratic values, including
privacy, government accountability and transparency, were duly
incorporated.  The FTC proposal allows for broad disclosure of
information concerning individuals and entities within the United
States.  It includes provisions that would allow the FTC and foreign
agencies to gain access to financial and electronic information for an
extensive period of time before having to notify the target of the
investigation.  The proposal also includes two exemptions from open
record obligations under the Freedom of Information Act.

In testimony before the House subcommittee, EPIC urged better privacy
safeguards and more openness about government activities.  EPIC also
recommended the establishment of new reporting requirements to allow
public oversight of the FTC's work.  Rotenberg told the Subcommittee,
"These principles of good government will assist consumer protection
agencies around the world combat cyber fraud, and will help strengthen
democratic institutions."

The House subcommittee made substantial improvements to the bill at a
markup on September 24.  The revised International Consumer Protection
Act reduces the period during which the FTC will be authorized to
access financial and electronic information without notification from
one year to sixty days.  The subcommittee also removed one of the two
proposed exemptions to the Freedom of Information Act.  The bill
includes a new section that sets out significant reporting
requirements for the Commission.  A provision that permitted the FTC
to cooperate with a foreign law enforcement agency regardless of
whether there was a violation of U.S. law has been removed.

The Senate version of the bill included a proposal that gave the FTC
and foreign law enforcement agencies access to the FBI's National
Crime Information Center (NCIC), the nation's most extensive
computerized criminal history database.  EPIC argued against this
provision at a hearing in June, after the FBI had announced that it
would no longer adhere to the Privacy Act requirement of maintaining
accurate information in the NCIC.  This provision was dropped in the
version of the Senate bill (S. 1234) reported by the Senate Commerce

With these modifications and additions, the International Consumer
Protection Act, H.R. 3143, was referred to the House Committee on
Energy and Commerce where it was reported out on October 1.  In the
Senate, the Republican sponsored bill (S. 1234) currently awaits floor
consideration, but has recently gained the co-sponsorship of
Democratic Senator Hollings.

EPIC's Testimony on Cross Border Fraud is available at:


A webcast of the September 17, 2003 hearing is available at:


The Senate Report of the Federal Trade Commission Reauthorization
Act of 2003 is available at:


[5] Coalition Questions HUD Homeless Surveillance Program

Eight civil liberties groups joined EPIC in opposing the Department of
Housing and Urban Development's implementation of Homeless Information
Management Systems (HMIS).  HMIS are programs intended to track
recipients of benefits in order to assess the number of persons
receiving care, and to improve efficiency of services to the poor.
While well intentioned, proposed mandatory guidelines for HMIS issued
by the Department are highly privacy-invasive.

The proposed guidelines create information collection requirements
that could be aggregated into a national homeless tracking system.
Homeless shelters and other care providers would have to collect full
legal names, dates of birth, Social Security Numbers, ethnicity and
race, gender, veteran status, and the person's residence prior to
program entry.  In some cases, even more sensitive information would
be collected, including disabilities, health status, pregnancy status,
HIV status, behavioral health status, education, employment, and
whether they have experienced domestic violence.

The groups argued that law enforcement, Secret Service, and national
security access to the data was too broad.  Police would be able to
obtain access to this sensitive data without a warrant, and the Secret
Service and agents of national security agencies could simply request
access to the database without a requirement of any judicial
oversight.  Additionally, the aggregation of personal information
raises risks that the homeless or disadvantaged could be located and
subjected to politically-motivated purges or forced removal.

The groups urged the agency to rewrite its HMIS guidelines in favor of
a system where the homeless are enumerated through representative
sampling or a "point in time" snapshot.  Such alternative approaches
are less expensive and require no collection of personally
identifiable information.  The groups also urged the agency to limit
law enforcement, Secret Service, and national security access to
personal information.  Finally, the groups recommended a series of
changes that would establish a framework of technical and procedural
protections for individuals' data.

Group Comments on Homeless Management Information Systems:


[6] News in Brief


A bipartisan group of Senators has introduced a new bill (The PATRIOT
Oversight Restoration Act of 2003) that would expand the sunset
provision of the USA PATRIOT Act to increase the number of the Act's
surveillance powers that will expire at the end of 2005.  The bill
would extend the sunset provision to more than a dozen specific
PATRIOT Act sections that are not now covered.

Sen Patrick Leahy (D-VT) said that introduction of the bill reflects
the difficulty Congress has had in obtaining information on
implementation of the anti-terrorism law.  "Despite the
Administration's unprecedented public relations campaign to promote
the PATRIOT Act . . . the Administration has yet to show that it is
using its PATRIOT powers wisely."

On a similar note, Sen. Larry Craig (R-ID) said, "In light of the
serious concerns that have been raised, I think it is appropriate for
us to add some triggers to the law that will force Congress to review
and affirmatively renew these authorities."

Introduction of the Patriot Oversight Restoration Act:


Sen. Leahy's press release on the bill:



The Identity Theft Resource Center (ITRC) published a report detailing
the effects of identity theft on victims.  The report was based on a
survey of 173 victims.  The report found that victims spend an average
600 hours clearing their names.  Thirty-four percent reported that
they could not clear all the negative items from their credit reports.
Seventy-three percent reported that personal information was used to
open new credit reports, further showing that credit grantors'
practices are inadequate.  And, almost 75 percent of victims learned
about the theft in a "negative" way, meaning that they were alerted to
the presence of fraud by debt collectors or by being denied credit.

 Read the Identity Theft: The Aftermath report at:



On October 2nd, the Office of Management and Budget (OMB) issued
guidelines to federal agencies on the implementation of privacy
provisions of the E-Government Act of 2002.  The guidelines govern how
the agencies handle and protect individuals' personally identifiable
information. Agencies will now be required to conduct privacy impact
assessments of their electronic information systems and post their
privacy policies on their web pages, among other stipulations. The OMB
guidelines are in line with many of the privacy guidelines established
by the Organization for Economic Cooperation and Development (OECD),
such as purpose specification, use limitation, security and openness.
However, they fail to address several important privacy issues, such
as principles of collection limitation, individual participation, data
quality, or accountability.  In addition, they fail to limit the
agencies to the collection of information that is specifically related
to the stated purpose, nor do they provide a means of individual
access and verification of the data. Nevertheless, they are a
substantial step forward in the implementation of privacy provisions
in the United States.

View the OMB's guidelines at:



Privacy International recently released a global survey entitled
"Freedom of Information and Access to Government Records Around the
World."  Compiled by David Banisar, director of the Freedom of
Information Project at Privacy International, the survey reports that
more than 50 countries around the world now have Freedom of
Information laws, more than half of which were passed in the last
decade.  It includes a detailed discussion of the laws in each of
these nations.  While the survey finds that access to government
records and information is increasing throughout the world, it also
notes that "the enactment of an FOI laws is only the beginning," and
that many countries need to improve implementation of the laws.

Read Privacy International's Freedom of Information Survey at:


[7] EPIC Bookstore: The Challenge of Crime

Henry Ruth & Kevin R. Reitz, The Challenge of Crime: Rethinking Our
Response, Harvard University Press (2003).


Ruth and Reitz's "The Challenge of Crime" is a refreshing analysis of
crime and attempts to control it.  It gives one hope that the criminal
justice community can transcend fad and demagoguery in favor of a more
systematic approach to crime.  Suspicious of both liberal and
conservative conceptions of crime control, the authors attempt to
drive the crime debate "toward rational, information-driven
initiatives" and away from "sheer guesswork, political rhetoric, and
pervasive emotionalism."  Among other things, the authors note that
some of the more popular crime control programs either are
ineffective, including the DARE anti-drug and militaristic "boot camp"
programs, or in the case of "scared straight" programs,

The authors suggest a crime response project that continually asks
whether crime interdiction programs are effective, whether they
relieve fear of crime, whether they promote justice, whether they
foster respect for law, and whether the response avoids extending
criminal law further that necessary to address the harms of crime.

The more compelling sections of the book discuss incarceration rates
in the U.S., which have been rising precipitously in the past twenty
years. Other chapters address the problems posed by drugs and alcohol,
juvenile crime, and interesting approaches to gun control regulation
that attempt to focus on criminal use of firearms rather than general
firearms control.

Ruth and Reitz's book is particularly relevant today, as leading law
enforcement officials continue to call for ever-increasing
punishments, as Attorney General John Ashcroft did in September 2003.
This age old issue even attracted comment by Alexis De Tocqueville:
"In the Middle Ages, when it was very difficult to reach offenders,
the judges inflicted frightful punishes on the few who were
arrested ... It has since been discovered that, when justice is more
certain and more mild, it is more efficacious."  Ruth and Reitz's work is
a call for more empiricism and "discovery," as De Tocqueville put it in
criminal justice, rather than simple "tough on crime" demagoguery.

--Chris Jay Hoofnagle


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2003: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty-five countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

       EPIC Bookstore

       "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Localizing the Internet: Ethical Issues in Intercultural Perspective.
International Center for Information Ethics.  October 4-6, 2004.
Karlsruhe, Germany.  For more information:

Biometrics: Implications & Applications for Citizenship and
Immigration.  Citizenship and Immigration Canada.  October 7, 2003.
Ottawa, Canada.  For more information: http://cic-forum.ca/english/.

UbiComp 2003 Privacy Workshop.  October 12, 2003.  Seattle, WA.  For
more information:

Grassroots America Defends the Bill of Rights - National Conference.
Grassroots America (co-sponsored by EPIC).  October 18-19, 2003.
Silver Spring, MD.  For more information:

Security Laws and Privacy Seminar. Riley Information Service Inc.
October 20, 2003. Ottawa, Canada. For more information:

8th Symposium on Privacy and Security - Identity and Anonymity in an
Increasingly Interconnected World. Swiss Federal Institute of
Technology. October 21-22, 2003. Zurich, Switzerland. For more
information: www.privacy-security.ch

Getting the Technology You Deserve:  Community Participation in
Regional Cable Franchise Policy.  Computer Professionals for Social
Responsibility.  October 25, 2003.  Seattle, Washington.  For more
information: http://www.cpsr.org/conferences/annmtg03/

ICANN Meeting.  Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003.  Carthage, Tunisia.  For more information:

IAPP Privacy and Data Security Academy and Expo. October 29-31, 2003.
Chicago, IL. For more information: http://www.privacyassociation.org

Business for Social Responsibility Annual Conference - Building and
Sustaining Solutions. November 11-14. Los Angeles, CA. For more
information: http://www.bsr.org

RFID Privacy Workshop.  Massachusetts Institute of Technology.
November 15, 2003.  Boston, Massachusetts.  For more information:

American Society of Access Professionals Workshop. November 18-19,
2003. St. Louis, Missouri. For more information:

Media Freedoms and the Arab World.  The Arab Archives Institute.
December 6-8, 2003. Amman, Jordan. For more information: email
aainstitute@yahoo.com or see

WHOLES - A Multiple View of Individual Privacy in a Networked World.
Swedish Institute of Computer Science. January 30-31, 2004. Stockholm,
Sweden. For more information: http://www.sics.se/privacy/wholes2004.

Securing Privacy in the Internet Age.  Stanford Law School.  March
13-14, 2004.  Palo Alto, CA.  For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:


Subscribe/unsubscribe via e-mail:

      To: epic_news-request@mailman.epic.org
      Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

      To: epic_news-request@mailman.epic.org
      Subject: "help" (no quotes)

Problems or questions? e-mail < info@epic.org>

Back issues are available at: http://www.epic.org/alert/

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140
(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 10.19 ----------------------