====================================================================== E P I C A l e r t ====================================================================== Volume 11.22 November 18, 2004 ---------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_11.22.html ====================================================================== Table of Contents ====================================================================== [1] EPIC Releases 2004 Privacy & Human Rights Report [2] Agency Orders 72 Airlines to Turn Over Passenger Information [3] EPIC Joins Coalition to Support Privacy in Email Intercept Case [4] Government Report Finds SSNs in Many State, County Records [5] FTC Proposes Major Telemarketing Loophole [6] News in Brief [7] EPIC Bookstore: Privacy & Human Rights 2004 [8] Upcoming Conferences and Events ====================================================================== [1] EPIC Releases 2004 Privacy & Human Rights Report ====================================================================== The Electronic Privacy Information Center and Privacy International released the seventh annual Privacy & Human Rights survey on November 17. This report reviews the state of privacy in more than sixty countries around the world. It outlines legal protections for privacy and new challenges, and summarizes important issues and events relating to privacy and surveillance. The 2004 survey points to several key global developments that have taken place in the last year, from the establishment of traveler profiling systems, the creation of biometric IDs and smart cards to the use of radio frequency identification technologies, video surveillance, and DNA and health information databases. Government authorities and private companies have increased their use of these new technologies and been keen on setting up sophisticated identification and surveillance of their citizens, customers and employees. As the use of such technologies has increased, many countries around the world have pursued policy and legislative efforts to respond to the threat of terrorism. These efforts are intended to provide law enforcement and national security agencies with more tools of control and intensify collection of information and data sharing, thanks to a growing cooperation between government agencies and the private sector, while limiting means of oversight of those practices. Several governments, the United States government taking the lead, have deployed new measures to facilitate the identification and tracking of people traveling across country borders, from passenger prescreening and profiling systems to biometric travel documents and databases for foreigners. Many governments have established new national ID schemes. Others have revived schemes that were rejected in the past due to lack of public support or legitimacy, covering first foreigners and minority populations, and extending them later to all citizens. Video surveillance, smart cards and DNA databases also present growing risks to individuals' privacy, as do the use of radio frequency identification technologies in the private and public sectors. Some criticisms of these new technologies focus on the lack of adequate data protection laws in the countries in which they are used. Others question the increasing number of purposes for which these technologies are used regardless of the motives that originally justified their deployment. Opposition to these technologies has been voiced by numerous stakeholders. National parliaments have questioned the legitimacy of some of the technologies or their presumed effectiveness. Data protection authorities have issued reports and filed complaints to pinpoint ethical, legal and social implications for citizens' civil liberties and privacy rights. Human rights groups have organized coalitions to oppose some of the most intrusive surveillance proposals. Progress for privacy is also noticeable in the 10 new European Member States, mostly in Eastern Europe, where the EU Data Protection Directive has been transposed in the legal framework. Furthermore, Asian and Latin American countries have passed new privacy legislation to tackle the potential misuse of personal information by new technologies. To learn more about the report or purchase copies, visit the EPIC Bookstore: http://www.epic.org/bookstore/phr2004 The report is also available online at Privacy International's web site: http://www.privacyinternational.org/survey/phr2004 ====================================================================== [2] Agency Orders 72 Airlines to Turn Over Passenger Information ====================================================================== The Transportation Security Administration has demanded that 72 airlines turn over a month's worth of passenger data to test the Secure Flight passenger prescreening program. The airlines have been told they must give the agency all Passenger Name Records (PNRs) from June 2004 domestic flights by November 23. The order will affect PNRs of about 50 million passengers. Data that will be disclosed to the government may include such sensitive information as credit card numbers, travel itineraries, addresses, telephone numbers and meal requests, which could reveal a passenger's religion or ethnicity. TSA has exempted the information collected during the test phase of Secure Flight from important protections provided by the Privacy Act, such as judicially enforceable rights to access and correct personal data. The agency has also exempted the test phase from the Privacy Act requirement that the government maintain only information that is "relevant and necessary" to perform the test phase. As proposed by the TSA, Secure Flight will compare PNRs against information compiled by the Terrorist Screening Center, which will include expanded "selectee" and "no fly" lists. TSA will also seek to identify "suspicious indicators associated with travel behavior" in passengers' itinerary PNR data. Furthermore, the agency is planning to test the use of commercial databases to verify the accuracy of information provided by travelers. TSA received about 500 comments from the public last month in response to the Secure Flight proposal. Most of those who commented voiced concern about Secure Flight's implications for privacy and other civil liberties. Under the recently passed Department of Homeland Security Appropriations Act of 2005, no funding may be used to deploy Secure Flight until the Government Accountability Office examines the privacy implications and other aspects of the program. The GAO must submit its report on Secure Flight to Congress no later than March 28, 2005. TSA's order to airlines to turn over June 2004 PNRs: http://www.epic.org/redirect/sf_final_order.html For more information about passenger prescreening, see EPIC's Passenger Profiling Page: http://www.epic.org/privacy/airtravel/profiling.html ====================================================================== [3] EPIC Joins Coalition to Support Privacy in Email Intercept Case ====================================================================== EPIC joined five civil liberties groups to file a "friend of the court" brief encouraging the First Circuit Court of Appeals to overturn a controversial ruling on email privacy. In June, a three-judge panel held in United States v. Councilman that an email service provider did not violate criminal wiretap laws by acquiring users' incoming emails without their knowledge or consent to gain a commercial advantage over a competitor. Because the emails were not actually in wires or cables between computers when accessed, but were instead temporarily stored on the service provider's computer system, the panel found the emails could not have been "intercepted" in violation of wiretap law. The First Circuit has withdrawn the panel decision and is reconsidering the case. The civil liberties groups' brief argued that the panel's decision creates serious constitutional questions under the Fourth Amendment guarantee against unreasonable search and seizure. The brief was also joined by the Center for Democracy and Technology, Electronic Frontier Foundation, American Civil Liberties Union, American Library Association, and Center for National Security Studies. Senator Patrick Leahy (D-VT) also filed an amicus brief discussing what Congress had in mind when it extended legal protections to email in 1986. Senator Leahy, the sponsor of the Senate version of the legislation that became the Electronic Communications Privacy Act, argued that the panel's decision fails to recognize Congress' intent to protect the privacy of electronic communications when the Act was passed, and should be reversed. Five technical experts also filed a brief in favor of Internet privacy, explaining that email should receive full legal protection while in transmission. "Internet-based mail services clearly distinguish between the routine storage that occurs when a message reaches its destination . . . and the temporary 'storage' that occurs as electronic mail moves in many discrete steps from sender to recipient," the brief argued. The technical experts endorsing the brief were Dr. Whitfield Diffie, Chief Security Officer of Sun Microsystems; Dr. Edward W. Felten, Professor of Computer Science at Princeton University; Dr. John R. Levine, Chair of the Internet Research Task Force Anti-Spam Research Group; Dr. Peter G. Neumann, Principal Scientist in the Computer Science Lab at SRI International; and Dr. Bruce Schneier, Chief Technical Officer of Counterpaine Security. The First Circuit will hear oral arguments in the rehearing next month. Amicus brief filed by civil liberties groups: http://www.epic.org/privacy/councilman/kerr_amicus.pdf Amicus brief filed by Senator Leahy: http://www.epic.org/privacy/councilman/leahy_amicus.pdf Amicus brief filed by technologists: http://www.epic.org/privacy/councilman/tech_amicus.pdf For more information about the case, see EPIC's United States v. Councilman Page: http://www.epic.org/privacy/councilman ====================================================================== [4] Government Report Finds SSNs in Many State, County Records ====================================================================== The Government Accountability Office, the investigative arm of Congress, has released a report finding that Social Security Numbers (SSNs) "are widely exposed to view in a variety of public records, particularly those held by state and local government." The GAO estimated that "individuals' SSNs are displayed in some public records in 80 to 94 percent of U.S. counties." The GAO also found that agencies in "41 states as well as the District of Columbia reported holding at least one type of public record that shows the SSN." SSNs were most frequently found in court and property records. SSNs were less likely to be found in the public records of federal executive agencies because of protections provided by the Privacy Act. However, the GAO did report finding SSNs in some federal court records. These findings are important because the presence of SSNs in public records "increases the likelihood that they will be misused for inappropriate mining of personal information, violation of privacy, and identity theft." Indeed, public records are a major source for personal information used by data brokers and direct marketers. Once personal information appears in a public record, some data brokers can collect, use, and disclose the information without any privacy obligations. There is also a risk that identity thieves will mine public records in order to locate new victims. The report also noted that 57 million identification cards bearing a full SSN have been issued by the federal government to employees and individuals in benefits programs or the military. The GAO reported that the practice "puts cardholders at risk for identity theft due to the increased potential for accidental loss, theft, or visual exposure." The GAO recommended that the government investigate SSN display on identification cards and develop a unified approach to addressing the problem. The report was requested by Representative Clay Shaw (R-FL), the Chairman of the Ways and Means Subcommittee on Social Security. Rep. Shaw has been a consistent supporter of greater privacy protections for SSNs. Government Accountability Office, Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards: http://www.gao.gov/docsearch/abstract.php?rptno=GAO-05-59 For more information about the privacy of Social Security Numbers, see EPIC's SSN Page: http://www.epic.org/privacy/ssn For more information about public record privacy, see EPIC's Public Records Page: http://www.epic.org/privacy/publicrecords ====================================================================== [5] FTC Proposes Major Telemarketing Loophole ====================================================================== The Federal Trade Commission has proposed to create a loophole in telemarketing regulations that will allow companies to deliver "prerecorded message telemarketing" to their existing customers. This type of telemarketing also leaves "answering machine spam," unwanted messages on voicemail. Even those enrolled in the Do-Not-Call Registry will be affected by the proposed loophole. Under the proposal, companies could call their current customers and play a recorded message. The message would have to give the consumer an opportunity to opt out of the calls, either by pressing a button or by calling a toll-free number. The key to the proposal is the definition of businesses' "current customers." Under the Do-Not-Call Regulations, a business relationship exists whenever an individual makes an inquiry about or buys any product or service. Inquiries create a relationship for three months; purchases for eighteen. During that period, the company can make telemarketing calls even if the individual is enrolled in the Do-Not-Call Registry, and the individual must opt out of each business relationship individually. Technically, under the regulations, buying a cup of coffee creates a business relationship that permits telemarketing for eighteen months. The Commission's proposal comes at a time where technology and business practices could create the "perfect storm" for a barrage unwanted telemarketing and answering machine spam. Technologically, with Internet telephony (VoIP), it now is easier and less expensive to use a regular computer to initiate automated, prerecorded voice calls. Additionally, many retail businesses are asking for identification information at the point of sale. Companies collecting this information could exploit this loophole to send volumes of prerecorded telemarketing and answering machine spam. In proposing this loophole, the Commission is acting on a petition brought by the Voice Mail Broadcasting Corporation, a company that automates the delivery of messages to answering machines. A news article from 1999 indicates that the company could make 1.5 million calls a day. If the loophole is accepted, other companies are likely to clone the practice, resulting in an increase of unwanted telemarketing. EPIC and a coalition of privacy groups will file formal comments on the loophole, stressing that individuals can opt in to this form of telemarketing if they choose, but that a mere business relationship should not authorize companies to deliver prerecorded messages. The Commission is accepting comments until January 10, 2005. Proposed amendment to the telemarketing sales rule: http://www.ftc.gov/opa/2004/11/tsramend.htm Anyone may comment on this loophole by visiting the FTC comment web site: https://secure.commentworks.com/ftc-tsr ====================================================================== [6] News in Brief ====================================================================== HOUSE DEFIES 9/11 COMMISSION, ENDORSES GOVERNMENT SECRECY Giving in to the House in negotiations over legislation to implement the recommendations of the 9/11 Commission, the Senate agreed to allow the government's intelligence budget to remain classified. This decision undermines the Commission's finding that Congressional oversight of intelligence must be improved, and supports a tradition of secrecy and extensive classification that may frustrate public oversight and press reporting on matters of national interest. In exchange for this compromise with the House, the legislation would now call for "exclusive" authority by the national intelligence director over the National Intelligence Program budget. Currently, the defense secretary controls approximately 80 percent of funding for government intelligence. For more information about the Commission's findings, see EPIC's page on the 9/11 Commission recommendations: http://www.epic.org/privacy/terrorism/911comm.html EPIC JOINS AMICUS BRIEF IN JUNK FAX CASE EPIC and Private Citizen, Inc. argued in a brief to the Georgia Supreme Court that "junk faxing is simply electronic trespass as a means to committing advertising by theft -- the electronic equivalent of junk mail sent postage due." In the case, Carnett's Inc. v. Michelle Hammond, the court will determine whether individuals can bring class action suits under the Telephone Consumer Protection Act, a law that prohibits the sending of "junk faxes," unsolicited commercial facsimile messages. EPIC argued that class actions are essential to the law's effectiveness, noting that junk faxers collectively transmit two billion messages a year. The brief also argues that no "established business relationship" exemption exists that would permit sending unwanted faxes. Coalition brief on junk faxes: http://www.epic.org/privacy/telemarketing/Hammond.pdf For more information about junk faxing, see EPIC's Telemarketing and Junk Fax Page: http://www.epic.org/privacy/telemarketing FDA ENDORSES RFIDS FOR PRESCRIPTION DRUG BOTTLES Drug manufacturers will soon add radio frequency identification (RFID) tags to bottles of prescription pills. This move comes after the Food and Drug Administration (FDA) issued voluntary guidelines lifting restrictions on labeling that may have discouraged companies from testing out the technology. The RFID tags will be used to combat the small but growing problem of prescription drug counterfeiting by allowing tracking of wholesale drug products from manufacturers to pharmacies. Tags will first be used in a test phase that will last until December 31, 2007. In February 2004, the FDA issued a report entitled "Combating Counterfeit Drugs" which encouraged drugmakers to use RFID chips on their products. In a position statement issued in November 2003 on RFID technology, almost 50 consumer privacy and civil liberties organizations around the world found the use of RFID tags for tracking pharmaceuticals acceptable as long as the tags help ensure the drugs are not counterfeit, are handled properly and dispensed appropriately, and the tags contained on or in the pharmaceutical containers are physically removed or permanently disabled before being sold to consumers. For more information about radio frequency identification technology, see EPIC's RFID Page: http://www.epic.org/privacy/rfid CALIFORNIA APPROVES MEASURE TO EXPAND DNA COLLECTION California has passed Proposition 69, a measure that requires a DNA sample to be taken from every adult and juvenile convicted of a felony and from every adult arrested on suspicion of murder or certain sex crimes in the state. The law will expand in 2009 to include individuals arrested on suspicion of any felony and certain misdemeanors. Retroactive provisions require that samples also be obtained from some California prison inmates and parolees not covered under previous law, which applies only to those convicted of serious felonies. The new law will add tens of thousands of new DNA profiles to a statewide database, which in turn feeds into the FBI's national DNA database. For more information about DNA privacy, see EPIC's Genetic Privacy Page: http://www.epic.org/privacy/genetic CFP 2005 ACCEPTING PANEL PROPOSALS The 15th annual conference on Computers, Freedom & Privacy takes place from Tuesday, April 12, to Friday, April 15, 2005, in Seattle, Washington. The theme of the conference is "Panopticon." The conference's program committee is currently accepting proposals for conference sessions and speakers. Submit your ideas by December 31, 2005. CFP 2005: http://www.cfp2005.org ====================================================================== [7] EPIC Bookstore: Privacy & Human Rights 2004 ====================================================================== Privacy & Human Rights 2004: An International Survey of Privacy Laws and Developments (EPIC 2004). http://www.epic.org/bookstore/phr2004 This annual report by EPIC and Privacy International reviews the state of privacy in more than sixty countries around the world. It outlines legal protections, new challenges, and summarizes important issues and events relating to privacy. Privacy & Human Rights 2004 is the most comprehensive report on privacy and data protection ever published. The 2004 edition of Privacy & Human Rights documents the continued expansion of government surveillance authority. Many countries have pursued new identification schemes, expanded monitoring of communications, weakened data protection laws, and intensified data transfers between the public and private sectors. The 2004 Privacy & Human Rights report also finds continuing opposition to traveler profiling systems, secret video surveillance, smart cards, DNA and health information databases, and radio frequency identification (RFID) technologies. New topics for 2004 include travel privacy, electronic voting, census, nanotechnologies, and the World Summit on the Information Society. The 2004 survey notes the adoption of new data protection and open government laws, and includes new country reports from Latin America, Africa, and Asia. ================================ EPIC Publications: "Privacy & Human Rights 2004: An International Survey of Privacy Laws and Developments" (EPIC 2004). Price: $35. http://www.epic.org/bookstore/phr2004 This survey, by EPIC and Privacy International, reviews the state of privacy in more than sixty countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, as well as recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2003: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price: $40. http://www.epic.org/bookstore/pls2003 The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00& EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== The 2004 Isaac Pitblado Lectures: Privacy -- Another Snail in the Ginger Beer. The Law Society of Manitoba, The Manitoba Bar Association and the University of Manitoba Faculty of Law. November 19-20, 2004. Manitoba, Canada. For more information: http://www.lawsociety.mb.ca/shopping/default.asp. 2004 Big Brother Awards Hungary. November 25, 2004. Budapest, Hungary. For more information: http://hu.bigbrotherawards.org. Africa Electronic Privacy and Public Voice Symposium. The Public Voice. December 6, 2004. Capetown, South Africa. For more information: http://www.thepublicvoice.org/events/capetown04. National Security, Law Enforcement and Data Protection. British Institute of International and Comparative Law Data Protection Research and Policy Group. December 8, 2004. London, UK. For more information: http:www.biicl.org. 3rd Annual Digital Rights Management Conference 2005. Ministry of Science and Research of the State Northrhine Westfalia, Germany. January 13-24, 2005. Berlin, Germany. For more information: http://www.digital-rights-management.org/start.php. 12th Annual Network and Distributed System Security Symposium. The Internet Society. February 3-4, 2005. San Diego, CA. For more information: http://www.isoc.org/isoc/conferences/ndss/05/index.shtml. 14th Annual RSA Conference. RSA Security. February 14-18, 2005. San Francisco, CA. For more information: http://2005.rsaconference.com/us/general/default.aspx. The World Summit on the Information Society PrepCom 2. February 17-25, 2005. Geneva, Switzerland. For more information: http://www.itu.int/wsis/preparatory2/hammamet/index.html. The Concealed I: Anonymity, Identity, and the Prospect of Privacy. On the Identity Trail and the Law and Technology Program at the University of Ottawa. March 4-5, 2005. Ottawa, Canada. For more information: http://www.anonequity.org/concealedI. O'Reilly Emerging Technology Conference. March 14-17, 2005. San Diego, CA. For more Information: http://conferences.oreillynet.com/etech. 7th International General Online Research Conference. German Society for Online Research. March 22-23, 2005. Zurich, Switzerland. For more information: http://www.gor.de. 5th Annual Future of Music Policy Summit. Future of Music Coalition. April 10-11, 2005. Washington DC. For more information: http://www.futureofmusic.org/events/summit05/index.cfm. CFP2005: Fifteenth Annual Conference on Computers, Freedom and Privacy. April 12-15, 2005. Seattle, WA. For more information: http://www.cfp2005.org. 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research. May 8-11, 2005. Berkeley, CA. For more information: http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html. SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 11.22 ---------------------- .