EPIC logo

                            E P I C  A l e r t
Volume 10.21                                           October 17, 2003

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Sues DOJ for PATRIOT Act Lobbying Info
[2] Canada's Biometric ID Plan Under Fire
[3] EPIC, PIRG Submit Comments on Bank Security Notices
[4] Senate Passes Genetic Privacy Measure
[5] European Parliament Opposes Air Travel Data Transfer
[6] News in Brief
[7] EPIC Bookstore: Corporateering
[8] Upcoming Conferences and Events

[1] EPIC Sues DOJ for PATRIOT Act Lobbying Info

EPIC filed suit in federal district court this week seeking the
release of Department of Justice (DOJ) records regarding the efforts
of federal prosecutors to oppose legislative revisions to the
controversial USA PATRIOT Act.  The lawsuit challenges DOJ's refusal
to expedite the processing of EPIC's Freedom of Information Act (FOIA)
request for the material.

On July 22, the House of Representatives voted 309-118 to prohibit the
use of federal funds for the execution of delayed notice search
warrants. "Sneak and peek" warrants, which were authorized by the USA
PATRIOT Act, allow law enforcement officers to conduct a search of an
individual's property and delay notifying that individual until after
the search occurred.  On August 14, DOJ issued a memorandum urging all
U.S. Attorneys "to call personally or meet with . . . congressional
representatives" to talk over "the potentially deleterious effects" of
denying funding for delayed notification warrants.  The memo included
a list of Representatives and identified those who had voted to
prohibit such warrants.  The memorandum received substantial media
coverage and raised serious questions regarding the legality of the
prosecutors' lobbying efforts.

EPIC submitted a FOIA request to DOJ for information about the
memorandum, and requested expedited processing, as provided under the
FOIA and DOJ regulations.  The department refused to expedite on the
grounds that "the subject of [EPIC's] request is not one of
exceptional media interest, nor does it raise any questions about the
government's integrity which might affect public confidence."
Furthermore, DOJ determined that EPIC's request "does not support a
finding that that there is an urgency to inform the public" about
DOJ's lobbying campaign.

EPIC filed suit October 14, seeking a preliminary injunction requiring
DOJ to process EPIC's request and release the documents as soon as
possible.  In support of its entitlement to expedited processing, EPIC
noted widespread media interest in the DOJ memorandum and cited
editorials and news articles questioning the propriety of the
prosecutors' lobbying activities.

EPIC's memorandum in support of its motion for a preliminary
injunction is available at:


For background information, see EPIC's USA PATRIOT Act page:


[2] Canada's Biometric ID Plan Under Fire

The proposal by the Immigration Minister to implement a system of
biometric identification in Canada has met with a blast of public
opposition since its inception last year.  In the face of concerns
over terrorism, and in the interest of furthering commerce and travel,
the program aims to encode biometric identifiers -- such as iris
scans, fingerprints and hand geometry -- onto ID cards in order to
guarantee that each Canadian is who he or she claims to be.  A
biometric identifier is any physical characteristic of a person that
can be recorded and matched against a person.

An interim report issued by the House of Commons quotes the Minister
as stating: "The card provides certainty because of the security
around its issuance and the technology used in the card."  However,
the report referred to polls and the testimony of several experts to
show that support for the biometric IDs is not strong.  The report
also cautioned that biometric IDs "could have wide implications for
privacy, security and fiscal accountability," and proposed that the
government receive more feedback from the public-at-large.

At the same time, a report by Citizenship and Immigration Canada, a
department of the Canadian government, found that most people predict
that biometric identifying IDs will be found in all Canadians' wallets
within the next ten years.

The report was released at a two-day conference held to encourage
discussion of the use of biometric identifiers and a national ID card
and lay out how the policy would be implemented.  Stephanie Perrin,
President of Digital Discretion Company, Inc. and senior fellow at
EPIC, addressed privacy concerns at the conference.  She urged caution
and pointed to several inherent problems with the policy, including
the rapid implementation, the security of the information, persons
unable to produce a certain biometric identifier, and other abuses and
discriminations that are likely to result.  Another concern is cost.
Governmental forecasts of the financial cost of the project range from
3 to 7 billion dollars ($2.3 to $5.3 in USD).  However, foreign
watchdog groups that have studied similar plans in other countries
insist these projections are likely too low.

Not all government officials are on board with the plan.  Canada's
Interim Privacy Commissioner recently issued a statement, warning of
the complexity, risks and costs of the program.  He stated that
identification cards "allow us to be identified even in situations
where we have every right to remain anonymous" and warned that
"without technical limitations and strict controls on their use, they
are a power tool to link together our various activities and produce
profiles of our lives."

There are indications that public opposition may be turning the tides.
Earlier this month, the Minister was reported to back-peddle on his
one-mechanism approach to verifying citizen identity.  In a statement,
the Minister proposed a more incremental approach.  The second
approach would implement biometric technology into existing
government-issued documents, instead of just one card.

Visit the Citizenship and Immigration Canada conference web site at:


For additional information on ID cards, see EPIC's National ID page 


For addtional information on biometrics, see EPIC's Biometrics page 


[3] EPIC, PIRG Submit Comments on Bank Security Notices

EPIC, in conjunction with the U.S. Public Interest Research Group
(PIRG), has submitted comments to the Department of the Treasury
regarding proposed guidance on security notices to bank customers, in
accordance with the Gramm-Leach-Bliley Act.  The groups urged the
agency to strengthen its guidelines, which specify when a financial
institution must give notice to a customer when personal information
has been accessed without authorization.

The groups called on the agency to require financial institutions to
institute monitoring systems to detect unauthorized access to personal
information.  Being aware of breaches in security is critical to
maintaining the integrity of the customer information systems and
responding appropriately to violations.  The comments also noted that
the proposed guidance leaves room for broad interpretation as to when
financial institutions should provide their primary Federal regulator
with notice of a security breach.  Hence, the comments urged that an
institution should promptly report any incidents of unauthorized
access generally, rather than only when customer information is
actually used.  The groups also noted that specific guidance is needed
as to the method and content of notification, and that the agency
should include a certification requirement as part of its notification

In regards to consumer communication, the comments praised the agency
for not allowing any circumstances that may delay notification of the
affected customers.  However, the groups made several suggestions for
improving the means of notifying consumers.

The EPIC and U.S. PIRG comments are available at:


The Treasury's proposed guidelines are available at:


For background information, see EPIC's Gramm-Leach-Bliley Act page at:


[4] Senate Passes Genetic Privacy Measure

The Senate, in a bipartisan effort, unanimously passed the Genetic
Information Nondiscrimination Act of 2003 (S.1053) earlier this week.
The legislation, sponsored by Sen. Olympia Snowe (R-ME), prohibits
discrimination in health insurance by employers' group health plans
and by health insurance issuers on the basis of genetic information.
Group health plans and health insurers are forbidden to limit
enrollment or vary premiums on the basis of genetic information or on
the basis of an individual's request for genetic tests or services
such as genetic counseling.  They are also prohibited from requesting
or requiring genetic tests.

Genetic information is broadly defined to include an individual's
genetic tests, genetic tests of an individual's family, or occurrence
of diseases or disorders in the family history.  Employers are
prohibited from discriminating in hiring, promotions or in any other
way on the basis of genetic information or on the basis of a request
for genetic services.  Employers are prohibited from requiring genetic
tests or from purchasing genetic information.  Employers are permitted
to engage in genetic monitoring of the biological effects of toxic
substances in the workplace when such monitoring is required by state
or federal law, but may do so only with prior written notice and
authorization of employees.  Employment agencies and labor
organizations are also prohibited from discriminating on the basis of
genetic information.

The legislation will now go to the House of Representatives, which is
likely to act on it next year.  Senate sponsors, however, are urging
speedier action, and hope that Senate and White House support will
encourage the House to take up the issue this year, rather than next.

Read the Genetic Information Nondiscrimination Act of 2003 at:

Read Sen. Snowe's statement on the legislation at:


For background information, see EPIC's Genetic Privacy page at:


[5] European Parliament Opposes Air Travel Data Transfer

On October 9, the European Parliament overwhelmingly passed a
resolution concerning airlines' transmission of personal data to the
United States.  In doing so, the Parliament made clear the position of
the European Union on negotiations with the U.S.  The resolution not
only details various concessions the European Commission must require
of the United States, but requires that the Commission act within two
months, or else be brought to the Court of Justice by the European
Parliament for failure to do so.

The resolution reveals the increasing urgency of an agreement on the
issue, stating that it is imperative that passengers, airlines and
reservation systems receive clear indications as soon as possible on
which measures are to be taken in response to the demands made by the
U.S. authorities.  The details of the resolution were partially shaped
by the recommendations made by the International Conference of Data
Protection and Privacy Commissioners held in Sydney in September.  The
commissioners recommended that international transfers of data should
be made within the framework of international agreements defining the
conditions necessary for ensuring data protection, the clear targets
that justify the collection of data, a specific and not excessive
number of items of data, strict limits on the storage period, the
provision of adequate information to the persons concerned, and
mechanisms to correct possible errors.

The Parliament urged the EC to determine what data may legitimately be
transferred by airlines and/or computerized information systems to
third parties.  In doing so, the EC is asked to consider ways to
prevent discrimination against non-U.S. passengers and retention of
data beyond the length of a passenger's stay on U.S. territory.  The
EC should require that passengers be fully and accurately informed
prior to purchase and their consent be mandatory for data transfer to
the U.S.  It should also seek to increase passenger access to a "swift
and efficient appeals procedure should any problem arise."

The requirements of the European Parliament concerning the transfer of
personal data by airlines have not changed substantially since
previous resolutions.  What has changed is the impatience of the
Parliament with the prolonged process, including the time allotted to
reach an international agreement, and their quest for alternative ways
to heighten airline security.   The EC has been given a two month time
frame as well as a warning of repercussions should it not comply.  The
resolution now calls on the EC within this time frame to deny airlines
and computerized information systems any access and/or transfer, which
is not in accordance with the principles.

The text of the October 9 European Parliament resolution is
available at:


For background information, see EPIC's passenger profiling page at:


The September 2003 resolution passed by the Data Protection & Privacy
Commissioners is available at:


[6] News in Brief


The Federal Trade Commission's Do-Not-Call registry is back in effect,
thanks to a decision by the U.S. Court of Appeals for the 10th
Circuit.  The court issued a stay of a Colorado District Court's
injunction barring enforcement of the Do-Not-Call registry.  The lower
court had found the registry to be a violation of free speech, but
that decision was appealed by the FTC, with oral arguments set to be
heard on November 10.  The appellate court ruled that the FTC should
be able to implement the Do-Not-Call registry in the meantime, finding
that the FTC demonstrated a substantial likelihood of success on the
merits in appeals.  The FTC has re-opened registration to the
Do-Not-Call list and is now taking complaints from consumers regarding
telemarketing violations.

The 10th Circuit's decision is available at:


For background information, see EPIC's Do-Not-Call page at:



The Supreme Court announced it will hear arguments on the Child Online
Protection Act (COPA), a law passed by Congress in 1998 with the
intent of limiting children's access to Internet pornography.  COPA
was immediately challenged by EPIC, the ACLU and other groups on free
speech grounds and has been stuck in legal limbo ever since.  The U.S.
Court of Appeals for the 3rd Circuit has twice struck down the law,
and the Bush administration has appealed both times.  Oral arguments
in the case -- Ashcroft v. ACLU, No. 03-218 -- will take place in
early 2004 and a decision is expected by July.

For background information, see EPIC's Child Online Protection Act page 
at: http://www.epic.org/free_speech/censorship/copa.html REPORT SLAMS WEBSITE PERSONALIZATION A new report by Jupiter Research found that personalizing websites for marketing purposes was costly and ineffective. The report, entitled "Beyond the Personalization Myth," stated that companies would be better served by improving site basics, such as navigation, rather than tailoring pages according to information gathered about individual visitors. The study also found that operating a personalized Web site cost more than four times more than operating a "comparable dynamic site." Jupiter reported that users were not overly fond of personalized sites, due greatly to privacy concerns. In fact, more than 25 percent of consumers surveyed by Jupiter said they avoided Web site customization because of concerns that marketers would misuse the information. Information about the report is available at: http://news.com.com/2100-1038-5090716.html ICANN TO CONSIDER WHOIS PRIVACY IN CARTHAGE ICANN will hold a WHOIS Workshop on October 29, 2003 in Carthage, Tunisia. At this workshop, privacy concerns of Internet domain name registrants will be discussed. The Non-Commercial Users Constituency is proposing several policy changes to WHOIS that would minimize the amount and type of personal data that an individual must disclose and protect such sensitive personal data from unrestricted public access. The Public Interest Registry, which manages the .ORG domain, has also made recommendations to improve privacy for WHOIS data. The ICANN Carthage WHOIS Workshop Agenda is available at: http://www.icann.org/carthage/whois-workshop-agenda.htm For background information, see EPIC's WHOIS Privacy page: http://www.epic.org/privacy/whois/ TECH ROUNDTABLE DISCUSSES USING RFID TAGS ON CHILDREN On October 8, the High Tech Child Safety Roundtable met at the George Washington University to discuss the use of wireless networking to track the location of children for their safety. Specifically, the panel focused on embedding RFID tags in children's clothing, shoes, pins, ID cards, and other items to monitor the location of a child. However, the systems discussed would track children only while within range of a school or other location that had deployed the technology; such system would be similar in effect to video surveillance or a parent watching their child. The Roundtable further addressed technical implementation issues and data access problems arising from such a system. See the High Tech Child Safety Roundtable site at: http://www.kidlocate.org For background information, see EPIC's RFID page at: http://www.epic.org/privacy/rfid/ INTERNATIONAL CONSUMER GROUP LAUNCHES SPAM SURVEY The Transatlantic Consumer Dialogue, which represents EU and U.S. consumers, has launched an online survey to assess consumers attitudes on spam email. The results of the survey will be announced to senior officials from OECD governments and representatives of the international press in February 2004. The survey is available at: http://www.net-consumers.org/erica/spamsurvey.htm ===================================================================== [7] EPIC Bookstore: Corporateering ====================================================================== Jamie Court, Corporateering: How Corporate Power Steals Your Personal Freedom and What You Can Do About It_, Tarcher/Putnam (2003). http://www.powells.com/cgi-bin/biblio?inkey=8-1585422282-0 Ralph Nader claimed that when he wants to listen to classical music he no longer needs a radio; instead he calls a major airline and waits on hold for a representative. Jamie Court in "Corporateering" takes note of dozens similar annoyances and weaves them into a broader argument that corporations increasingly "have strained and drained people's most vital resources, including their money, energy, time, health, safety, rights, and their own power." Many of Court's examples of irresponsible behavior involve privacy, including the traffic in personal information and invasive marketing to children. Court argues that corporations have exceeded their roles as marketplace actors to a position where they dominate culture and trample on individual rights. Court, the Director of the Foundation for Taxpayer and Consumer Rights, an assertive California-based non-profit, begins this work with a definition of corporateer: "v. to prioritize commerce over culture; n. one who prioritizes commerce over culture." The book details how corporations have abused power to corner markets, to deceive individuals, and to infect the public sphere with mindless commercialism by naming sports venues and other public places for corporations which used to be named for great men. One of the most remarkable portions of the book is a summary of a legal memorandum written by Lewis Powell before his appointment to the Supreme Court. It details how business can capture the public sphere, and assert power over the individual. The Powell memo advocated a massive pro-business public relations effort and much of it has crystallized. For instance, one of Powell's suggestions was to create a community of scholars to promote business interests. Today, groups like the American Enterprise Institute, whose "academics" have the same level of scholarly independence as a professor of theology at Bob Jones University, dominate the scene of Washington policymaking, issuing endless reports trumpeting their theology of Mammon: public bad, private good. Amen. The book concludes with a series of recommendations for individuals who wish to counter irresponsible business power. Thorough appendixes suggest laws, institutions, and a new lexicon that could be employed to empower the individual. Court's work would benefit from a more prominent disclaimer that not all corporate activity is bad. A lack of recognition of this fact weakens his argument (his non-profit technically is a corporation, for instance). Nevertheless, Court's book is well written and insightful and one can hear the influence of Frederick Douglass in his call to action: "Small evils quickly become large ones when nourished by institutions as powerful as modern corporations and not responded to by individuals." -Chris Jay Hoofnagle ================================ EPIC Publications: "The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2003: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $35. http://www.epic.org/bookstore/phr2003/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty-five countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Grassroots America Defends the Bill of Rights - National Conference. Grassroots America (co-sponsored by EPIC). October 18-19, 2003. Silver Spring, MD. For more information: http://www.grassroots-america.org/. Security Laws and Privacy Seminar. Riley Information Service Inc. October 20, 2003. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/index.html 8th Symposium on Privacy and Security - Identity and Anonymity in an Increasingly Interconnected World. Swiss Federal Institute of Technology. October 21-22, 2003. Zurich, Switzerland. For more information: www.privacy-security.ch Getting the Technology You Deserve: Community Participation in Regional Cable Franchise Policy. Computer Professionals for Social Responsibility. October 25, 2003. Seattle, Washington. For more information: http://www.cpsr.org/conferences/annmtg03/ Reporting Cyberterrorism. The Newseum and Carnegie Mellon University. October 27, 2003. Washington, DC. For more information: (703) 284-3527. ICANN Meeting. Internet Corporation for Assigned Names and Numbers. October 27-31, 2003. Carthage, Tunisia. For more information: http://www.icann.org/carthage/ IAPP Privacy and Data Security Academy and Expo. October 29-31, 2003. Chicago, IL. For more information: http://www.privacyassociation.org Business for Social Responsibility Annual Conference - Building and Sustaining Solutions. November 11-14. Los Angeles, CA. For more information: http://www.bsr.org RFID Privacy Workshop. Massachusetts Institute of Technology. November 15, 2003. Boston, Massachusetts. For more information: http://www.rfidprivacy.org American Society of Access Professionals Workshop. November 18-19, 2003. St. Louis, Missouri. For more information: http://www.acesspro.org Media Freedoms and the Arab World. The Arab Archives Institute. December 6-8, 2003. Amman, Jordan. For more information: email aainstitute@yahoo.com or see http://www.ijnet.org/FE_Article/newsarticle.asp?UILang=1&CId=115794& CIdLang=1. WHOLES - A Multiple View of Individual Privacy in a Networked World. Swedish Institute of Computer Science. January 30-31, 2004. Stockholm, Sweden. For more information: http://www.sics.se/privacy/wholes2004. Securing Privacy in the Internet Age. Stanford Law School. March 13-14, 2004. Palo Alto, CA. For more information: http://cyberlaw.stanford.edu/privacysymposium/. International Conference on Data Privacy and Security in a Global Society. Wessex Institute. May 11-14, 2004. Skiathos, Greece. For more information: http://www.wessex.ac.uk/conferences/2004/datasecurity04/index.html. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via e-mail: To: epic_news-request@mailman.epic.org Subject: "subscribe" or "unsubscribe" (no quotes) Automated help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Problems or questions? e-mail < info@epic.org> Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 10.21 ---------------------- .