EPIC logo

                          E P I C  A l e r t
Volume 12.04                                         February 26, 2005

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


Table of Contents

[1] EPIC Urges ChoicePoint To Give Access to 145,000 Victims
[2] California School Drops RFID Tracking Program After EPIC Protest
[3] EPIC Opposes Sharp Increase in TSA Surveillance Spending
[4] EPIC Comments on DC Metro's Public Access to Records Policy
[5] Bipartisan Legislation Introduced to Enhance Open Government
[6] News in Brief
[7] EPIC Bookstore: Michael Chesbro's Privacy Handbook
[8] Upcoming Conferences and Events

[1] EPIC Urges ChoicePoint To Give Access to 145,000 Victims

Following the extraordinary news this week that ChoicePoint sold
personal information on at least 145,000 Americans to a criminal ring
engaged in identity theft, EPIC urged the company to make available to
those whose personal information was negligently disclosed the same
information made available to the crooks. "It is not only a matter of
fairness, but also a critical public safety concern that these
individuals have in their possession the same information about them
that you gave to criminals," said the February 18 letter from EPIC.

ChoicePoint sent out letters to California residents notifying them of
the wrongful disclosure of their personal information because of a
California state requirement. Following a letter from 38 state
attorneys general urging the company to make similar notifications to
individuals across the country, ChoicePoint sent out letters to
145,000 potential victims of identity theft across the country.

California police have reported that the criminals used the
ChoicePoint data to make unauthorized address changes on at least 750
people, and investigators believe that personal information of up to
400,000 people nationwide may have been compromised.

EPIC also urged the company to "disgorge the funds that you obtained
from the sale of the data and make these funds available to the
individuals who will suffer from identity theft as a result of this
disclosure." ChoicePoint sold the accounts for fees of $100 to $200.
ChoicePoint CE0 Derek Smith recently said the company has not yet
decided if it will help defray expenses for consumers whose records
may have been compromised.

Since 2001, EPIC has investigated commercial data aggregators such
as ChoicePoint, which collect personal information on individuals
and sell the data to third parties. In a December 16, 2004,
complaint to Federal Trade Commission, EPIC urged the commission to
determine whether ChoicePoint and other data brokers comply with the
Fair Credit Reporting Act and also asked whether it will be
necessary to update the federal privacy laws to take account of new
business practices. In an exchange of letters with EPIC in January,
ChoicePoint stated that its auditing procedures were sound and there
was no reason for the FTC to investigate.

The negligent sale of detailed personal information by the country's
largest information broker underscores the need for the FTC to make
certain that ChoicePoint and other data brokers are conducting
business in compliance with federal privacy laws. Congressional
lawmakers have called for an investigation into the collection and
sales practices of data brokers such as ChoicePoint.

EPIC's reply to ChoicePoint's letter on FCRA:


For more information, visit EPIC's ChoicePoint page:


[2] California School Drops RFID Tracking Program After EPIC Protest

Last week, Brittan Elementary School in Sutter, Calif., abandoned an
RFID tracking pilot program after InCom, the company which developed
the technology, pulled out of its agreement with the school. (See EPIC
Alert 12.03.) In mid-January the school started requiring its students
to wear radio frequency identification badges that tracked every
student's movements in and around the school on a real-time basis and
displayed the child's picture, name, grade and class year.

Two weeks ago, EPIC, along with the Electronic Frontier Foundation and
ACLU-Northern California, urged the Brittan School officials in a
joint letter to terminate the program. The letter argued that the
program raised serious safety and civil liberties implications and,
most importantly, breached children's right to privacy and dignity by
treating them like cattle or pieces of inventory.

Soon after the letter was sent and a meeting for parents took place to
discuss the issue with the school administration, the media all around
the country began reporting about the tracking system and its risks
for privacy, parents' threats of lawsuits and protests, and the
involvement of civil liberties groups, which eventually pushed InCom
to call off the testing at the Brittan School.

EPIC's press release:


EPIC-ACLU-EFF joint letter to the Brittan School Board:


For more information about how RFIDs affect children, visit EPIC's
Children and RFID Systems Page:


[3] EPIC Opposes Sharp Increase in TSA Surveillance Spending

EPIC submitted a letter to the Senate Committee on Commerce, Science
and Transportation voicing its strong opposition to the significant
increase in federal funding for the Transportation Security
Administration's surveillance programs, such as its Secure Flight
passenger prescreening program, its Registered Traveler passenger
prescreening program, and its Transportation Worker Identity
Credential program.

TSA has a history of failing to meet its legal obligations for
openness and transparency under the Freedom of Information Act and
violating the spirit of the Privacy Act. TSA has continued to place a
low priority on the privacy rights of American citizens in the
development of these surveillance programs.

TSA also has shown a proclivity to using personal information for
reasons other than the ones for which the information was gathered or
volunteered, as evidenced by the TSA documents about the now-defunct
CAPPS II passenger profiling program that EPIC obtained under FOIA.

TSA also has shown poor management of its financial resources, as
Cathleen Berrick, Government Accountability Office Director of
Homeland Security and Justice, testified at the Senate Committee on
Commerce, Science & Transportation hearing concerning funding for TSA
on February 15, 2005. Ms. Berrick testified that in Fiscal Year 2005,
TSA was forced to transfer about $61 million from its Research and
Development budget of $110 million, to support its operations, such as
personnel costs for screeners.

EPIC letter to the Senate Committee on Commerce, Science &


For more information about the proposed Fiscal Year 2006 budget, see
EPIC's U.S. Domestic Spending on Surveillance Page:


For more information about travelers' privacy rights, see EPIC's
Passenger Profiling Page:


[4] EPIC Comments on DC Metro's Public Access to Records Policy

In December 2004, the Washington Metropolitan Area Transit Authority's
board (Metro) requested changes to its new Public Access to Records
Policy (PARP) and Privacy Policy. Both documents were available for
comments until February 14, and Metro has committed that it will take
the suggestions into account before releasing its final policies.

EPIC has submitted comments on both policies. Compared to their
earlier versions, they generally better protect the privacy of Metro
riders, while allowing the public and the media to get improved access
to information about Metro. The new PARP offers more rights to
requesters and its amendments are closer in spirit to the federal
Freedom of Information Act. As an example of the positive changes, the
new PARP provides information requesters with a right of
administrative appeal and judicial review to challenge denials.

However, a few PARP provisions may allow Metro to deny information
access requests for illegitimate reasons, which could in turn preclude
adequate public oversight of its activities and prevent meaningful
accountability. For example, under the current policy, Metro officials
would have to refuse requesters the disclosure of any records that are
related to the SmarTrip program, no matter whether they identify an
individual or not. The information exempted from disclosure could
include policy documents, and generally all records likely to --
without divulging SmarTrip users' personal information --
significantly contribute to public understanding of the operations or
activities of Metro and its SmarTrip program.

Metro's SmarTrip program involves the use of a permanent, rechargeable
farecard embedded with a special computer chip that keeps track of the
card's value and travel itineraries. It allows Metro to know where any
of its riders has gone within its transportation network at any given
moment and to match these records with the rider's name, address and
credit card.

Metro's new Privacy Policy would disclose its riders' personal
information (including all SmarTrip information) upon a written
request from the head of any federal, state or local government agency
in the context of a specific civil or criminal law enforcement
activity. EPIC made it clear in its comments that the disclosure by
Metro of personal information to a government agency requires a court
order as well as adequate accounting of the disclosure.

EPIC's comments to DC Metro:


New Metro PARP and Privacy Policy:


[5] Bipartisan Legislation Introduced to Enhance Open Government

Senators John Cornyn (R-TX) and Patrick Leahy (D-VT) recently
introduced the "Openness Promotes Effectiveness in our National
Government Act," legislation that will improve government
accountability by expanding and fortifying the Freedom of Information
Act. Rep. Lamar Smith (R-TX) has introduced an identical companion
bill in the House.

The OPEN Government Act would add teeth to the FOIA by encouraging
agencies to release information in a timely manner. The law would
require agencies to assign tracking numbers to requests within 10 days
of receipt. Agencies would also be obligated to create telephone or
Internet services to allow individuals to track the status of their
requests and estimated completion times for processing. Agencies
failing to respond to a request within 20 days would lose the right to
withhold information unless they could show good reason for the delay,
or if disclosure would endanger national security, reveal personal or
proprietary information, or violate the law.

The OPEN Government Act would also broaden the rights of requesters.
The legislation would expand the definition of news media requesters
so that smaller, nontraditional media such as Internet bloggers would
be entitled to fee waivers under the FOIA. The bills would also make
it easier for requesters to recover attorneys fees and court costs if
forced to sue the government under the FOIA to obtain documents.

The OPEN Government Act would also enhance oversight by requiring
agencies to submit more detailed reports on how they handle FOIA
requests. Furthermore, the Comptroller General would be required to
examine and report on the Department of Homeland Security's
withholding of critical infrastructure information provided by private

In addition, the proposed law would expand the FOIA to cover
government records maintained by private companies. It also would
create an Office of of Government Information Services to oversee
agencies' FOIA processing procedures and mediate disputes.

The Senate bill has been referred to the Judiciary Committee. A
subcommittee hearing on the bill is expected in mid-March.

More information about the OPEN Government Act, S. 394, is available


For more information about the Freedom of Information Act, see EPIC's
Open Government Page:


[6] News in Brief

Accountability Office Weighs In on US-VISIT, Secure Flight

The Government Accountability Office recently released a report on the
Department of Homeland Security's planned expenditures for US-VISIT in
the coming year and compliance with recommendations the office
previously made for program. The report concluded that DHS has made
some progress satisfying requirements for the program determined by
Congress, but much remains to be done. Among other things, the office
found that the agency has not conducted a security risk assessment of
the program, and has no anticipated date for completing one.
Furthermore, the GAO noted that the most recent privacy impact
assessment for US-VISIT does not fully comply with the Office of
Management and Budget's guidance for conducting such evaluations.

The GAO has also issued a report examining the Transportation Security
Administration's measures for testing the use of commercial data
within Secure Flight, the agency's passenger prescreening program
currently under development. The report determined that the agency has
developed preliminary measures for concept testing, but further review
will be needed to  determine "if the measures are designed to identify
relevant impacts on aviation security, and reflect attributes of
successful performance measures for that purpose."

Government Accountability Office, Homeland Security: Some Progress
Made, but Many Challenges Remain on U.S. Visitor and Immigration
Status Indicator Technology Program:


Government Accountability Office, Aviation Security: Measures for
Testing the Impact of Using Commercial Data for the Secure Flight


For more information about US-VISIT, visit EPIC's US-VISIT Page:


For more information about aviation security measures, visit EPIC's
Passenger Profiling Page:


EPIC Files Comments on FTC's COPPA Rule Change

EPIC submitted comments to the Federal Trade Commission on its
proposal to weaken the Children's Online Privacy Protection Act's
parental notice requirements. EPIC challenged the underlying
assumptions presented by the FTC in its proposal to make permanent the
"Sliding Scale 2005" which addresses parental communications regarding
their children's online activity.

EPIC has had a long-standing interest in children's online privacy and
was one of the first organizations to support the effort to improve
the Internet privacy of children.

EPIC Comments to the FTC are available at:


For more information, visit EPIC's Children's Online Privacy
Protection Act Page:


EPIC Submits Views to NIST on Federal ID Privacy Concerns

EPIC submitted comments to the National Institute of Science and
Technology (NIST) on "Special Publication 800-73" titled "Interfaces
for Personal Identity Verification," to warn of the potential to do
more harm than good if important considerations like federal employee
privacy and third party use of a broadly used federal employment ID
are not taken into consideration during the development phase. EPIC
also warned that agencies should not use employee's social security
numbers as part of the identification system for these proposed
federal identification documents.  Last month EPIC testified at a
hearing held by NIST and the Office of Management and Budget. EPIC
concluded that the proposed Personal Identity Verification for Federal
employees and contractors does not take privacy protections into

EPIC Comments to NIST are available at:


EPIC's Testimony to NIST is available at:


For more information on workplace privacy, see EPIC's Workplace
Privacy Page:


Senate Unanimously Passes Genetic Nondiscrimination Bill

This week the US Senate unanimously passed the Genetic Information
Nondiscrimination Act of 2005, which prohibits employers from using
genetic information in employment decisions and insurance companies
from denying coverage or basing premium rates on that data. The bill
also establishes privacy protections for genetic information held by
employers, employment agencies, labor organizations, and others. Last
year, a similar bill was passed in the Senate but died in the House.

For more information on bill S.306:


For more information see EPIC's Genetic Privacy Page:


Anti-Spyware Bill Would Exempt Software Cookies

The House Subcommittee on Commerce, Trade and Consumer Protection has
approved the Spy Act, anti-spyware legislation. The Spy Act aims to
prevent spyware purveyors from hijacking a Web site's home page or
tracking users' keystrokes. It only allows for the collection of
personal information after express consent from users. The legislation
also requires that spyware programs be easily identifiable and

But subcommittee chairman Clifford Stearns (R-FL) attached an
amendment that would exempt software cookies, including third-party
cookies, from the spyware definitions covered by the legislation.
Embedded ads on web pages would also be exempted from the
legislation's requirements that online ads include identifying
information so consumers can find and remove the software causing
them. The legislation now goes to the full Commerce Committee for a

More information about the Spy Act, H.R. 29, is available at:


For more information on Internet privacy and cookies, see EPIC's
Internet Privacy Page:


Federal Government's Cyber-Security Fails to Make the Grade

For the fifth straight year, at least half of all federal agencies
received a grade of "D" or worse on the House Government Reform
Committee's annual cyber-security report card. The Department of
Homeland Security and seven other agencies each received an "F." The
federal government received an overall grade of "D-plus," up
slightly from last year's "D" and 2002's "F."

The full report card is available at (pdf):


For more information, see EPIC's Online Guide to Practical Privacy


US Government Agency Directs .us to End Anonymous Domain Registration

The US Department of Commerce National Telecommunications and
Information Administration (NTIA) has directed Neustar, the company
that runs .us, to prohibit anonymous or proxy domain registration.
This direction by the NTIA is intended to create a complete and
accurate WHOIS database. What this does, however, is ensure that
registrants' data including such personal information as address and
phone number will be made publicly and anonymously accessible to
anyone online including spammers and marketers.

For more information, see EPIC's WHOIS Page:


[7] EPIC Bookstore: Michael Chesbro's Privacy Handbook

Michael Chesbro, Privacy Handbook: Proven Countermeasures for
Combating Threats to Privacy, Security, and Personal Freedom (Paladin
Press 2002).


"'Those who would give up essential liberty to purchase safety,'
stated Benjamin Franklin in 1759, 'deserve neither liberty nor
safety.' Unfortunately, in today's climate of fear, the government,
the media and plenty of other American citizens see things
differently. If you are not willing to accept "some restrictions in
civil liberties to guarantee security," (as Tom Brokaw and others have
phrased it), this book is essential reading. In it, Michael Chesbro
shares hundreds of simple but effective measures you can take - short
of armed revolution - to preserve your privacy and sovereignty in the
face of Big Brother run amok. By being aware of the various threats to
financial privacy, computer and online security, private
communications, home security and more, and by employing these
techniques to combat them, you can protect yourself from rogue
government agents and meddling bureaucracies as well as nosy
neighbors, prying family members, identity thieves, stalkers,
solicitors and other enemies of privacy and personal liberty."


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

The Concealed I: Anonymity, Identity, and the Prospect of Privacy.  On
the Identity Trail and the Law and Technology Program at the
University of Ottawa.  March 4-5, 2005.  Ottawa, Canada.  For more
information: http://www.anonequity.org/concealedI.

The Health Information Technology Summit West. eHealth Initiative.
March 6-8, 2005.  San Francisco.  For more information:

IAPP National Privacy Summit 2005.  International Association of
Privacy Professionals.  March 9-11, 2005.  Washington, DC.  For more
information:  http://privacyassociation.org.

O'Reilly Emerging Technology Conference.  March 14-17, 2005.  San
Diego, CA.  For more Information:

Policy Options and Models for Bridging Digital Divides: Freedom,
Sharing and Sustainability in the Global Network Society.  March
14-15, 2005.  Project on Global Challenges of eDevelopment, Hypermedia
Laboratory, University of Tampere.  Tampere, Finland.  For more
information: http://www.globaledevelopment.org/forthcoming.htm.

2005 National Freedom of Information Day Conference.  First Amendment
Center.  March 16, 2005.  Washington, DC.  For more information:

7th International General Online Research Conference.  German
Society for Online Research.  March 22-23, 2005.  Zurich, Switzerland.
For more information: http://www.gor.de.

The 2005 Nonprofit Technology Conference.  Nonprofit Technology
Enterprise Network.  March 23-25, 2005.  Chicago, IL.  For more
information: http://www.nten.org/ntc.

The Global Flow of Information Conference 2005.  Information Society
Project at Yale Law School. April 1-3, 2005. New Haven, CT. For
more information:
http://islandia.law.yale.edu/isp/GlobalFlow/registration.htm. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. April 4-8, 2005. Mar del Plata, Argentina. For more information: http://www.icann.org. VoIP World Africa 2005. April 5-7, 2005. Terrapinn. Johannesburg, South Africa. For more information: http://www.terrapinn.com/2005/voipza/confprog.stm. RFID Journal LIVE! 2005. April 10-12. Chicago, IL. For more
information: http://www.rfidjournallive.com. CFP2005: Fifteenth Annual Conference on Computers, Freedom and Privacy. April 12-15, 2005. Seattle, WA. For more information: http://www.cfp2005.org. 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research. May 8-11, 2005. Berkeley, CA. For more information: http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html. SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm. The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 12.04 ---------------------- .