EPIC logo

                          E P I C  A l e r t
Volume 11.21                                           November 5, 2004

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


Table of Contents

[1] 17,000 Election Day Incidents Reported by Voters, Election Staff
[2] EPIC Urges Agency to Postpone Secure Flight Testing
[3] EPIC Recommends Privacy Protections for Public Records
[4] Privacy Officials Denounce Collection of Canadians' Data
[5] EPIC Calls For US-VISIT Data Safeguards
[6] News in Brief
[7] EPIC Bookstore: The Box Man
[8] Upcoming Conferences and Events

[1] 17,000 Election Day Incidents Reported by Voters, Election Staff

The 2004 Election Day saw the largest voter turnout in decades, with
record numbers reached in many states.  The evaluation of the election
may take weeks or months, but the Election Incident Reporting System
has already registered over 17,000 Election Day incidents, including
everything from glitches in voting technology to problems with how the
election was administered in jurisdictions across the nation. The
greatest numbers of reports were from California, Florida, Texas,
Ohio, Pennsylvania, and New York.  The reports came directly from
voters and Election Protection staff supplied by voter access projects
conducted under the umbrella of the Leadership Conference on Civil
Rights.  The website used to record incidents was developed by members
of the Computer Professionals for Social Responsibility and Verified
Voting, with the assistance of members of the National Committee for
Voting Integrity.

At a post-election press conference and discussion conducted by the
National Committee for Voting Integrity, committee members reported
that the need for data and analysis is critical to understanding what
really happened on Election Day.  Any statements regarding successes
or failures must be backed by sound research, which is lacking.  What
is routine in most key private or public endeavors is a means of
reporting and investigating problems as they occur. Current United
States election administration, however, does not follow this model.

The National Committee for Voting Integrity announced a number of
election reform recommendations to be considered in the discussions
that will follow the election.  These recommendations focus on
securing voting technology from manipulation, establishing integrity
in the administration of elections, safeguarding voter privacy, and
guaranteeing equal voting rights in federal elections.

Election Incident Reporting System:


National Committee for Voting Integrity:


National Committee for Voting Integrity Recommendations:


Computer Professionals for Social Responsibility:


[2] EPIC Urges Agency to Postpone Secure Flight Testing

Concluding that Secure Flight passenger prescreening proposal is, like
CAPPS II, "exactly the sort of system that Congress sought to prohibit
when it enacted the Privacy Act of 1974," EPIC has called for the test
phase of Secure Flight to be postponed until the Transportation
Security Administration addresses the program's significant privacy
issues.  EPIC has also asked that the public's opportunity to comment
on the program be extended until the government is willing to make
more information about Secure Flight available to the public.

EPIC's recommendations were made in response to notices published by
the agency in September outlining plans for the test phase of Secure
Flight.  As described by the TSA, Secure Flight will compare Passenger
Name Records (PNRs) against information compiled by the Terrorist
Screening Center, which will include expanded "selectee" and "no fly"
lists.  TSA will also seek to identify "suspicious indicators
associated with travel behavior" in passengers' itinerary PNR data.
Furthermore, the agency is planning to test the use of commercial
databases to verify the accuracy of information provided by travelers.
TSA will administer the program, removing all passenger screening
responsibility from the airlines.  The agency also issued a proposed
order that will direct airlines to turn over passenger records from
June 2004 so that Secure Flight can be tested this fall.

EPIC's comments criticized the lack of transparency in the
government's development of Secure Flight, noting that the FBI, TSA,
and Bureau of Customs and Border Protection have all failed to
disclose details about the system in response to Freedom of
Information Act requests.  The comments also addressed TSA's failure
to provide individuals with meaningful access to personal information
and meaningful opportunities to correct inaccurate, irrelevant,
untimely and incomplete information.  EPIC also noted Secure Flight's
exemption from the requirement that a system maintain only information
that is "relevant and necessary" to perform the system's function.

EPIC concluded that "development of the system should be suspended
until TSA and other agencies involved in Secure Flight's development
are willing to disclose information about the program to the
public[.]"  EPIC also urged the agency not to collect personal
information about passengers for testing purposes until the Secure
Flight proposal has been revised to address the program's significant
privacy issues.

The comment period for the proposal ended just a week after President
Bush signed into law the Department of Homeland Security
Appropriations Act of 2005, which withholds funding for the deployment
of Secure Flight until the General Accounting Office examines the
privacy implications and other aspects of the system. The GAO must
submit its report no later than March 28, 2005.

EPIC's comments to TSA on the Secure Flight test phase:


EPIC's comments to the Office of Management and Budget on TSA's
request for emergency processing of June 2004 passenger data:


Privacy Act notice on the test phase of Secure Flight:


Secure Flight privacy impact assessment:


TSA request to the Office of Management and Budget for emergency
processing of June 2004 passenger data:


Department of Homeland Security Appropriations Act of 2005:


[3] EPIC Recommends Privacy Protections for Public Records

In comments to a committee formed by the Florida Supreme Court, EPIC
argued that protections should be in place for personal information
that appears in public records.  EPIC argued that the very purpose of
public records -- the ability of the individual to learn about the
government -- is turned on its head when the records include excessive
personal information.  Instead of being a citizen's window into
government activities, these records are giving the government, law
enforcement, and data brokers a window into our daily lives.  Without
privacy protections, court and other public records will be
commodified for commercial purposes unrelated to government oversight.

States that allow broad access to public records are supplying troves
of data to law enforcement.  For instance, ChoicePoint, a company that
sells personal information to law enforcement, includes thirty-six
extra databases on Florida residents and seven extra on Texans. Access
to information on Florida residents is particularly broad. It includes
marriage records, beverage licensees, concealed weapons permits, day
care licensees, handicapped parking permits, "sweepstakes," worker
compensation, medical malpractice, and salt water product licensees.

This information is also available to data marketers.  In the
comments, EPIC included advertisements for Florida residents'
information from government databases that is sold to marketers.  The
databases were for residents of Florida with auto insurance, those who
own SUVs, and those who own motorcycles.

EPIC recommended four approaches to reducing privacy risk with respect
to court records.  First, data should be minimized.  That is, the
court should collect the minimum information necessary to perform its
duties.  Second, protection should also be in place for paper records
because sophisticated data aggregators have the resources to visit the
actual courthouse and scan paper records to extract data from them.
Third, EPIC recommended that Florida consider limitations on the use
of public records so that they are not commodified for commercial
purposes.  Last, EPIC emphasized the importance of removing unique
identifiers from the records.  Social Security Numbers, birth dates,
addresses, and phone numbers all enable data aggregators to link
records and resell them for unrelated purposes.

EPIC's comments:


For more information about public record privacy, see EPIC's Public
Records Page:


[4] Privacy Officials Denounce Collection of Canadians' Data

Two Canadian privacy officials have released reports asserting that
the war on terror is compromising the privacy of Canadians.

In her annual report to Parliament, Canadian Privacy Commissioner
Jennifer Stoddart noted that increased collection of personal
information in the name of national security poses a grave threat to
civil liberties.  "Personal information about Canadians continues to
be gathered, stored, sorted and shared in alarming amounts on the
basis of the idea -- however unproven -- that more information about
individuals equals greater security against terrorists and other
threats," Ms. Stoddart's report says.  "We are concerned about the
increasing integration of our border security with that of the United
States, and the impetus this gives to the collection of large
databases of personal information about travellers, potential
travellers, and people in the transportation industry who must cross
borders regularly to do their jobs."

Ms. Stoddart further argued that "we must ensure the privacy rights of
individuals are not lost or submerged in the chorus of voices calling
for more security, more data, and more information about all of us."

Ms. Stoddart's findings were released shortly after a related report
by British Columbia's Information and Privacy Commissioner David
Loukidelis was made public.  Mr. Loukidelis' report concluded that the
USA PATRIOT Act violates British Columbian privacy laws, and that
personal information about Canadians may be accessible to the U.S.
government under the Act.  Mr. Loukidelis' report analyzed the
possible impact of outsourcing British Columbia government functions
to U.S. companies, and what happens when the U.S. government orders
those companies to turn over Canadian information through the USA

The report concluded that changes to privacy law and other measures
are necessary to protect British Columbians' personal information
against seizure under the controversial American law.  Recommendations
in the report include prohibiting personal information possessed by a
public body from being sent outside British Columbia for management,
storage or safekeeping and auditing outsourcing contracts and data
mining activities to assure that companies and government entities in
British Columbia comply with Canadian federal privacy laws.

Mr. Loukidelis' report was released just days after the British
Columbia provincial government passed a bill intended to protect
British Columbians against the USA PATRIOT Act.  Mr. Loukidelis called
the changes made by the new law "positive steps forward," but
concluded that "further amendments should be considered to strengthen
and clarify the new provisions."

Privacy Commissioner of Canada's annual report to Parliament:


Information and Privacy Commissioner of British Columbia's report on


For more information about the USA PATRIOT Act, see EPIC's USA PATRIOT
Act Page:


[5] EPIC Calls For US-VISIT Data Safeguards

EPIC warned the Department of Homeland Security this week of the
dangers of the expansion of a controversial border protection program.
In its November 1 filing with the agency, EPIC commented on potential
privacy implications of the United States Visitor and Immigrant Status
Indicator Technology (US-VISIT) program.  This program, in operation
since January 5, requires most foreign travelers to provide
fingerprints and photographs upon entering and exiting the U.S. at
selected ports.

This entry-exit system is based upon a vast network of databases
containing alien arrival and departure data accessible from
machine-readable visas, passports and other travel documents.  The
identifiers, which may expand to include other forms of biometrics,
are not only used to conduct identity and background checks, but are
also shared with outside law enforcement systems.

EPIC's comments were filed in response to an interim rule published by
DHS expanding US-VISIT to the 50 busiest land border points of entry
into the United States by the end of this year.  It also expanded the
category of individuals who must provide biometric identifiers and
other identifying information to include visitors who travel to the
United States through the Visa Waiver Program, as well as Mexican
citizens traveling to and from the United States.

EPIC's comments stressed the dangers of mission creep, pointing out
that DHS has provided no legal basis to "authorize widespread
disclosure of data for purposes wholly unrelated to the entry-exit
system's goals," such as allowing the FBI direct access to US-VISIT
information.  To guard against this problem, EPIC recommended that the
government apply international privacy standards to the collection and
use of personal information of non-U.S. citizens.

The comments also emphasized the importance of safeguarding the
accuracy and security of the information collected through US-VISIT.
The DHS interim rule pledges to develop "the most accurate and
efficient" method of collecting information by evaluating the cost and
expediency of the options.  EPIC pointed out that these goals can not
be met unless the agency focuses on the rate of error associated with
the system and the potential for unauthorized access to the

US-VISIT has implemented a three-step system for correcting errors
contained in its database.  EPIC's comments commended this step as a
much-needed protection, but urged the agency to recognize some form of
judicial review of its internal decisions.

EPIC's comments on the US-VISIT program:


For more information about the US-VISIT program, see EPIC's US-VISIT


[6] News in Brief


In a September 21 decision, the Court of Justice of the European
Communities denied the European Parliament's request that the court
quickly review a complaint on the Passenger Name Records (PNR)
agreement passed last May between the Department of Homeland Security
and the European Commission.  The European Parliament claimed last May
that the PNR agreement should be annulled, arguing that it violates
European data protection legislation, and that the European
Parliament's assent is necessary for the agreement to enter into

The court held that an emergency ruling would not prevent the "serious
consequences" the PNR agreement may have on the passengers concerned.
The European jurisdiction observes that in order to exclude or limit
the legal consequences of the PNR agreement on passengers, the
European Parliament should have applied for a preliminary injunction
(demande de sursis à l'exécution), which was the most appropriate
procedure available.

The Court's ruling on the PNR agreement is not likely to be issued
until the end of 2007, just as the agreement expires.

The court's decision:

      http://www.epic.org/redirect/ecj_decision.html (in French)

For more information about the agreement, see EPIC's EU-U.S. Airline
Passenger Data Disclosure Page:



In comments filed October 25, EPIC urged the Transportation Security
Administration to safeguard personal information in two data
collection programs.  The Transportation Workers Identification
Credentialing System (TWIC) and the Transportation Security Threat
Assessment System (T-STAS) are intended to compile data on a variety
of people directly and indirectly related to the transportation
industry, including flight crews, passenger screeners, and aliens or
"other individuals designated by TSA" who apply for flight training.
The comments noted the dangers of identity theft, misappropriation and
mission creep if the data collected for these programs are not
properly protected.  EPIC stressed that "TSA must take great care to
ensure that both collections do not become error-filled, invasive
repositories of all sorts of information bearing no relationship to
their stated goal."

EPIC's comments on TWIC and T-STAS:


EPIC's air travel privacy page:



A recent survey by Artafact LLC and BIGresearch reveals that a
majority of consumers who are aware of RFID technologies are "very or
somewhat concerned about invasion of privacy issues."  88% of
respondents concerned with privacy cited the government as the
organization most likely to abuse consumer privacy information.  After
the government come "crooks and bad guys," banks, insurance companies
and credit card companies as the entities most likely to abuse
consumers' personal information.  Only 35% of consumers concerned
about protecting their personal information believed that RFID (Radio
Frequency Identification) is a "good idea." Although consumers
surveyed also recognized the benefits of easily tracking merchandise
and preventing theft for businesses, many of them believe they will
not reap any benefit from RFID technology and are concerned with
potential for misuse, given the lack of any safeguards.

Previous surveys have shown similar consumer privacy concerns. A June
2004 study conducted by Capgemini Group and the National Retail
Federation found that 77% of more than 1,000 consumers surveyed were
not familiar with RFID.  Of those that were familiar with RFID, less
than half (42%) had a favorable perception of the technology, while
31% had no opinion.  An Auto-ID Center/Proctor & Gamble-sponsored
survey, not intended for public dissemination, found that 78% of
respondents had a negative reaction to RFID use, with more than half
of the respondents claiming to be extremely or very concerned. The
study also found that consumers did not want "smart tags" in their
homes, and the reassurance that the "tags" could be turned off and
privacy guaranteed was not compelling.

The Artafact LLC and BIGresearch study:


The Auto-ID Center/Proctor & Gamble survey:


For more information about radio frequency identification, see EPIC's
RFID Page:



In a notice published in the Federal Register, the Selective Service
System announced that it will begin matching its records with the
Department of Education.  The stated purpose of the data matching is
to determine whether students with federal student aid loans have
registered for the draft, as federal law prohibits unregistered
individuals from receiving government funds under the Higher Education
Act of 1965.

Federal Register Notice:


For more information about the Privacy Act, see EPIC's Privacy Act



A brother and sister from North Carolina became the first people in
the nation convicted on felony spamming charges this week.  A jury in
Loudon County, Virginia, found both Jeremy Jaynes and his sister,
Jessica DeGroot, guilty of three felony violations of the Virginia
anti-spam law for flooding the email accounts of America Online users
with more than 10,000 unsolicited commercial ads from fake Internet
addresses in just three days.  The jury, in what could be viewed as a
statement on the value placed on this form of commercial speech,
recommended a sentence of nine years in prison for Jaynes, and a fine
of $7,500 for DeGroot.  A third defendant was acquitted on all three

For more information about spam, see EPIC's Spam Page:


[7] EPIC Bookstore: The Box Man

Kobe Abe, The Box Man (Vintage Books 1974).


The Box Man is a study of a nameless protagonist who dons a box and
observes life in anonymity, often wandering in circles around Tokyo.
It's a hilarious story, complete with air gun-wielding objectors to
box men, "fake" or wanna-be box men, and a strange woman who is
constantly undressing.  There is perhaps no concise way to explain
this work, as much of it is either imagination or dream, so I have
simply quoted from it:

"This is a record of a box man."

"I am beginning this account in a box.  A cardboard box that reaches
just to my hips when I put it on over my head."

"That is to say, at this juncture the box man is me.  A box man, in
his box, is recording the chronicle of a box man."

". . . [I]t requires considerable courage to put the box on, over your
head, and get to be a box man . . . as soon as anyone gets into this
simple, unprepossessing paper cubicle and goes out into the streets,
he turns into an apparition that is neither man nor box . . ."

--Chris Jay Hoofnagle


EPIC Publications:

"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Privacy & Human Rights 2003: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty-five countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

BloggerCon III.  Stanford Law School.  November 6, 2004.  Palo Alto,
CA.  For more information: http://www.bloggercon.org/III.

Copyright & Privacy: Collision or Coexistence?  The John Marshall Law
School.  November 18, 2004.  Chicago, IL.  For more information:

The 2004 Isaac Pitblado Lectures: Privacy -- Another Snail in the
Ginger Beer.  The Law Society of Manitoba, The Manitoba Bar
Association and the University of Manitoba Faculty of Law.  November
19-20, 2004.  Manitoba, Canada. For more information:

2004 Big Brother Awards Hungary.  November 25, 2004.  Budapest,
Hungary.  For more information: http://hu.bigbrotherawards.org.

Africa Electronic Privacy and Public Voice Symposium.  The Public
Voice.  December 6, 2004.  Capetown, South Africa.  For more
information: http://www.thepublicvoice.org/events/capetown04.

National Security, Law Enforcement and Data Protection.  British
Institute of International and Comparative Law Data Protection
Research and Policy Group.  December 8, 2004.  London, UK.  For more
information: http:www.biicl.org.

3rd Annual Digital Rights Management Conference 2005.  Ministry of
Science and Research of the State Northrhine Westfalia, Germany. 
January 13-24, 2005.  Berlin, Germany.  For more information:

12th Annual Network and Distributed System Security Symposium. The
Internet Society.  February 3-4, 2005.  San Diego, CA.  For more
information: http://www.isoc.org/isoc/conferences/ndss/05/index.shtml.

14th Annual RSA Conference.  RSA Security.  February 14-18, 2005.  San
Francisco, CA.  For more information:

The World Summit on the Information Society PrepCom 2.  February
17-25, 2005.  Geneva, Switzerland.  For more information:

The Concealed I: Anonymity, Identity, and the Prospect of Privacy.  On
the Identity Trail and the Law and Technology Program at the
University of Ottawa.  March 4-5, 2005.  Ottawa, Canada.  For more
information: http://www.anonequity.org/concealedI.

O'Reilly Emerging Technology Conference.  March 14-17, 2005.  San
Diego, CA.  For more Information:

7th International General Online Research Conference.  German
Society for Online Research.  March 22-23, 2005.  Zurich, Switzerland.
For more information: http://www.gor.de.

5th Annual Future of Music Policy Summit.  Future of Music
Coalition.  April 10-11, 2005.  Washington DC.  For more information:

CFP2005: Fifteenth Annual Conference on Computers, Freedom and
Privacy.  April 12-15, 2005.  Seattle, WA.  For more information:

2005 IEEE Symposium on Security and Privacy.  IEEE Computer Society
Technical Committee on Security and Privacy in cooperation with The
International Association for Cryptologic Research.  May 8-11, 2005.
Berkeley, CA.  For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing. 
Technical Committee on Security & Protection in Information Processing
Systems with the support of Information Processing Society of Japan. 
May 30-June 1, 2005.  Chiba, Japan.  For more information:

3rd International Human.Society@Internet Conference.  July 27-29,
2005.  Tokyo, Japan.  For more information: http://hsi.itrc.net.

The World Summit on the Information Society.  Government of Tunisia.
November 16-18, 2005.  Tunis, Tunisia.  For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information, see
http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite
200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.  Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 11.21 ----------------------