EPIC logo

                             E P I C  A l e r t
Volume 12.19                                          September 22, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] Transportation Agency Drops Commercial Data From Prescreening Plan
[2] Privacy Commissioners: Set Privacy & Data Protection as Human Rights
[3] EPIC Advises Canadian Government on Identity Theft Prevention
[4] Roberts's Confirmation Hearings Highlight Privacy Concerns
[5] Election Report Recommends Voter ID, Paper Trails
[6] News in Brief
[7] EPIC Bookstore: Stephen G. Breyer's "Active Liberty"
[8] Upcoming Conferences and Events

[1] Transportation Agency Drops Commercial Data From Prescreening Plan

The Transportation Security Administration (TSA) has abandoned plans to
use commercial data to check the identities of airline passengers in the
government's proposed passenger prescreening system, Secure Flight. TSA
announced the decision shortly before a government-appointed working
group is expected to issue a critical report on the program's privacy

As envisioned, Secure Flight would compare Passenger Name Records
against information compiled by the Terrorist Screening Center, which
includes expanded "selectee" and "no fly" lists. Further, the program
would seek to identify suspicious travel behavior in passengers'

As originally planned, TSA would have also used commercial databases to
verify the accuracy of information provided by travelers. The contractor
conducting the test was EagleForce Associates, Inc., which obtained
commercial data from data aggregators Acxiom, InsightAmerica and Qwest.
According to documents obtained by EPIC under the Freedom of Information
Act last year, Acxiom pushed to water down key federal privacy laws
immediately after the September 11, 2001 terrorist attacks. According to
the documents, Acxiom sought broader access to "credit headers" and
drivers information in order to develop a system for "identity and
information verification that can be used by organizations such as
airlines, airports, cruise ships, and large buildings and other
applications to better determine whether a person is actually who they
say they are."

The agency began testing the system earlier this year. In June, however,
TSA admitted that it had collected and maintained detailed commercial
data about thousands of travelers in violation of a notice published
last fall stating it wouldn't do so. The disclosure came just days after
the Department of Homeland Security Privacy Office announced that it was
investigating whether TSA violated a federal privacy law during the
program's testing.

In related news, the Justice Department Inspector General recently
concluded that TSA's missteps have made it difficult for the government
office responsible for the terrorist watch list to prepare for the
launch of Secure Flight. The Terrorist Screening Center maintains the
government's consolidated watch list, which is planned to be a vital
part of the prescreening program. According to the Inspector General's
report, Terrorist Screening Center officials "believe that their ability
to prepare for the implementation of Secure Flight has been hampered by
the TSA's failure to make, communicate, and comply with key program and
policy decisions in a timely manner." The Inspector General cited
several issues as potentially problematic, including costs, redress, and
data accuracy.

Transportation Security Administration's Page on Secure Flight:


EPIC documents on Acxiom's lobbying and proposed amendments (pdf):


EPIC's Secure Flight Page:


Justice Department Inspector General's Report (pdf):


[2] Privacy Commissioners: Set Privacy & Data Protection as Human Rights

Privacy commissioners from around the world called on governments and
international organizations to establish data protection and privacy as
fundamental human rights. At a privacy conference in Montreux,
Switzerland, they also called for effective safeguards to limit the use
of biometric passports and identity cards so that centralized database
will not be established. They also urged greater cooperation with NGOs.

A day before the large privacy conference started, EPIC and other
European and American civil liberties groups sponsored a conference
entitled "Strategies for International Privacy Protection -- Issues,
Actors, and Future Cooperation." Its principal aim was to debate one of
the two most sensitive privacy issues governments are grappling with and
to reinforce cooperation between non-governmental organizations and data
protection authorities. Privacy officials, NGOs, and representatives
from the industry all participated to the discussion.

In the first panel on data retention, a speaker pointed to the many
security risks and high costs for the industry -- Internet Service
Providers and telecommunications providers -- and police and security
agencies that a regime of retention of traffic and location data would
introduce. A high risk also exists for police agencies themselves, since
their traffic and location data would be stored in one place, and create
a tempting target for criminals. In the second panel on biometrics, the
Swiss Privacy Commissioner Hanspeter Thur described the pilot biometric
passports project Switzerland had launched that was ended because of the
high privacy risks that are inherent in the central database of the
biometric passports program. Speakers also discussed the lack of
transparency and the absence of public debate that supra-national
organizations and governments around the world showed when they
introduced proposals for biometric passports.

In a resolution, a group of privacy commissioners called for effective
safeguards to limit the risks inherent to biometrics. They sought to
restrict the use of biometrics in passports and identity cards to
verification purposes -- the biometric data in the document would be
compared with the data provided by the holder when presenting the
document -- thereby prohibiting any centralization of data. The privacy
commissioners suggested that governments make a "strict distinction
between biometric data collected and stored for public purposes," such
as border patrol, "on the basis of legal obligations, and for
contractual purposes on the basis of consent."

Declaration of Montreux (pdf):


Resolution on Biometrics (pdf):


Privacy Conference 2005: 


"Strategies for International Privacy Protection - Issues, Actors, and
Future Cooperation":


[3] EPIC Advises Canadian Government on Identity Theft Prevention

EPIC urged the Canadian government to assume an aggressive posture
against identity theft by taking a number of measures to give
individuals greater control over personal information. In comments to
the Consumer Measures Committee, EPIC explained the need for consumers
to be able to freeze their credit files and for retailers to more
carefully screen credit applications for signs of fraud.

EPIC's comments explained that United States law does little to prevent
identity theft.  Most U.S. law focuses on remedial measures, such as
fraud alerts, and heightened penalties. These remedial measures and
penalties have done little to deter the crime, especially because
impostors are rarely investigated or caught by police. U.S. law also
does little to check high-risk business practices, such as the sending
of prescreened credit card offers, and lax instant credit granting
policies, which make it easy for even unsophisticated individuals to
commit identity theft.

In light of the failure of the remedial approach to address identity
theft, EPIC urged the Canadians to focus on preventive measures. Chief
among these are credit freeze, the ability of individuals to lock down
their credit report to prevent identity theft. Also suggested were
stricter controls on prescreened credit card offers, and making credit
grantors liable when they negligently issue new accounts to impostors.

EPIC also criticized predominant electronic payment systems. Credit
cards offer little privacy, and involve using the same number over and
over to charge the account. This number is revealed to many different
people, and the credit card industry has refused to add basic
authentication measures, such as a password, to prevent unauthorized
charges.  EPIC argued that the adoption of anonymous payment measures
would heighten privacy, and if properly implemented, reduce fraud

The Consumer Measures Committee is a forum of federal, provincial, and
territorial government representatives. The body will review comments
and issue proposed regulations in legislative language for another round
of public comment.

EPIC Comments to the Consumer Measures Committee:


Canada, Consumer Measures Committee - Identity Theft


[4] Roberts's Confirmation Hearings Highlight Privacy Concerns

Senators on the Judiciary Committee today voted 13-5 to send the
nomination of Judge John G. Roberts Jr. for Chief Justice of the United
States to the full Senate with a recommendation for confirmation. The
right to privacy became a major focus in Judge Robert's confirmation
hearings, in part because the constitutional right to privacy is a major
underpinning of the Supreme Court's 1973 decision in the abortion rights
case Roe v. Wade. However, privacy rights were raised in a variety of
other contexts as well: Judge Roberts was asked whether rights to
"liberty" in the Fourteenth Amendment include rights to privacy; about
the secrecy-shrouded Foreign Intelligence Surveillance Act (FISA) court;
and whether privacy extends to personal decisions regarding the
education of children, end-of-life scenarios, and sexual orientation.
Other questions focused on the preservation of civil liberties after the
Sept. 11, 2001, terrorist attacks and the need for government

When Sen. Arlen Specter asked if Judge Roberts he believed that there
was a Constitutional right to privacy, he replied: "Senator, I do." He
said that privacy was "the right to be left alone," and that this was
"one of our basic rights." Judge Roberts also said that he believed
there was a privacy right contained within the Fourteenth Amendment, in
its guarantee of liberty, and that this extended to the rights of women.
Although Roberts said that he felt that the right to privacy included a
right to contraception, he declined to answer whether he felt that
privacy rights included a right to an abortion or a right to die,
stating only that he would give weight to previous decisions by the
Supreme Court in these areas. Judge Roberts also refused to state
whether or not he agreed with Justice Clarence Thomas's opinion,
espoused in his dissent in Lawrence v. Texas, that there is no "general
right of privacy" in the Constitution. The 2003 case struck down
anti-sodomy laws in Texas as unconstitutional.

In response to concerns expressed by Sen. Russ Feingold about the
possible erosion of civil liberties in the wake of the Sept. 11 attacks,
Judge Roberts said that the Bill of Rights does not change in times of
war, but "things that might have been acceptable in times of war are not
acceptable in times of peace." The PATRIOT Act, passed in response
to the 2001 attacks, expanded the powers of the secret court enabled by
the Foreign Intelligence Surveillance Act (FISA). The Chief Justice of
the Supreme Court has the power to select members of this secret FISA
court, which authorizes covert surveillance by law enforcement. Sen.
Patrick Leahy urged Judge Roberts to work with him, Sen. Specter and
Sen. Charles Grassley to improve the transparency of the FISA Court.
Roberts agreed to keep an open mind on the topic, though he deferred to
Congress's decisions in creating it.

Last week, in a letter to the Senate Judiciary Committee, EPIC had asked
Senators to explore the views of Judge Roberts on privacy, "particularly
as they may relate to the future of the Fourth Amendment and the role of
the Congress in establishing statutory safeguards." The EPIC letter
concluded, "The first Justice to join the Supreme Court in the 21st
century should have a strong commitment to apply the Constitutional
principles and enforce the statutory rights that help safeguard privacy
in the modern era."

EPIC letter on John Roberts (pdf):


Senate Judiciary Committee:


Wikipedia, John G. Roberts, Jr.:


[5] Election Report Recommends Voter ID, Paper Trails

The Commission on Federal Election Reform, co-chaired by former
President Jimmy Carter and former Secretary of State James A. Baker III,
released a report on the conduct of domestic elections. The report made
87 recommendations, which include a call for universal voter
registration, use of the Real ID as a voter identification document, and
verifiable paper trails for electronic voting machines. The report said
that a single ID, uniform ID requirement would reduce discrimination
improve voter confidence and eliminate identification-related election

Congress passed the Help America Vote Act of 2002, in response to the
breakdown in vote tabulation during Florida's recount process conducted
at the conclusion of the 2000 presidential election. HAVA expands the
federal government's role in regulating voter registration and election
processes, and it provides funds to states to upgrade their election
systems. Under HAVA, states retain control of the election process, but
they must meet minimum federal standards. HAVA also required election
officials to verify voters' identification with administrative agencies
(i.e., comparing driver's licenses with local DMVs and Social Security
Numbers with the Social Security Administration.)

In May, Congress passed REAL ID, which mandates federal identification
standards for state driver's licenses and requires that state DMVs
collect sensitive personal information. The proposal of using the Real
ID card as a voter access card would be a significant departure from the
original congressional intent.

States can choose to opt-out of the REAL ID program, but the Act
mandates that licenses from opt-out states cannot be used as
identification for federal purposes. If Congress mandates that voters
participating in federal elections can use on the Real ID card as
identification, then residents of states that reject the REAL ID program
will not have acceptable voter identification.

EPIC earlier opposed Georgia's effort to require all voters to present
photo ID to participate in public elections. EPIC said that the Georgia
plan encroaches on privacy, would discourage voter turnout, and is
inconsistent with HAVA.

Report of the Commission on Federal Election Reform (pdf):


EPIC's Comments to the Department of Justice about the Georgia Voter ID
Plan (pdf):


EPIC's Voting Page:


[6] News in Brief

Report: U.S. Outsources to Countries Lacking Privacy Protections

Rep. Edward J. Markey, a senior Member of the House Energy and Commerce
Committee and the Co-Chair of the Congressional Privacy Caucus, recently
released a report assessing the privacy risks for Americans when their
data is outsourced to other countries. The report ranked the countries
based on eight principles of legal protections taken from the European
Union's Data Privacy Directive, including security, enforcement and
notification. The report found that 14 of the 20 countries profiled have
privacy regimes that are weaker than that of the U.S.

Markey Report: Outsourcing Privacy: Countries Processing U.S. Consumers'
Personal Information Lack Fundamental Privacy Safeguards (pdf):


Privacy and Human Rights Report 2004:


Public Comment Sought on ICANN WHOIS Proposal

The ICANN is requesting public comments on a new WHOIS policy. Under
ICANN's current contracts with the registries and registrars, the WHOIS
domain name contact information, which includes names, addresses,
telephone numbers and e-mail addresses, must be public. But under many
local and national laws the information is private.  The Task Force now
recommends that registrars who change their WHOIS practices to abide by
applicable laws and governmental regulations can still operate as
accredited registrars. EPIC and the Non Commercial Users Constituency
support this change but also urge a comprehensive review of WHOIS
policies to ensure that the personal data of all Internet users is
protected. Comments are due October 2.

Public Comment (due October 2):


ICANN WHOIS Task Force Report:




Choicepoint Announces More Improper Personal Data Disclosures
In the course of investigating a 2004 security breach involving 140,000
Americans, commercial data broker Choicepoint announced that another
9,903 individuals had their personal information sold without
authorization. Of these individuals, 4,667 are victims of the 2004
security breach where Choicepoint sold personal information to an
identity thief ring posing as a business. Choicepoint claims that a
Florida police officer accessed the personal information of 4,689 other
individuals. The remaining notices concern illegitimate access by
private investigators and an insurance company. In Big Brother's Little
Helpers, EPIC's Chris Hoofnagle warned that law enforcement users of
commercial data brokers like Choicepoint were inadequately supervised.
For instance, one document obtained under the Freedom of Information Act
described in the article suggested that the FBI does not audit its own
employee access to the Choicepoint database.

EPIC's Choicepoint Page:


Big Brother's Little Helpers:


US-VISIT Border Program Will Extend to 104 More Ports of Entry

The Department of Homeland Security announced last week that the
US-VISIT border security program will add 104 ports of entry, beyond the
current 50, by the end of the year. Problems have been found in
US-VISIT's database and technology systems, and some errors have led to
the improper flagging of crewmembers by government watch lists. This
extension comes as the agency is considering a flawed proposal to use
Radio Frequency Identification tags for travel documents, and two months
after it began to require visitors to submit a full ten-fingerprint set.

July Spotlight on Surveillance: US-VISIT Rolls Out the Unwelcome Mat:




1,500 Students Protest Metal Detectors, Cameras at High School

This week, 1,500 New York City high school students skipped classes and
marched for two miles to protest the installation of metal detectors and
security cameras at DeWitt Clinton High School. The school had
implemented a system where the students had to pass through metal
detectors and have their bags scanned by X-ray machines. The school had
also installed surveillance cameras. The protest resulted in a promised
meeting between school administrators and students to discuss the new
surveillance system.

May Spotlight on Surveillance: More Cities Deploy Camera Surveillance
Systems with Federal Grant Money:


[7] EPIC Bookstore: Stephen G. Breyer's "Active Liberty"

Stephen G. Breyer, Active Liberty: Interpreting Our Democratic
Constitution (Alfred A. Knopf, 2005)


"It is a historic occasion when a Supreme Court justice offers, off the
bench, a new interpretation of the Constitution. Active Liberty, based
on the Tanner lectures on Human Values that Justice Stephen Breyer
delivered at Harvard University in November 2004, defines that term as a
sharing of the nation's sovereign authority with its citizens. Regarding
the Constitution as a guide for the application of basic American
principles to a living and changing society rather than as an arsenal of
rigid legal means for binding and restricting it, Justice Breyer argues
that the genius of the Constitution rests not in any static meaning it
might have had in a world that is dead and gone, but in the adaptability
of its great principles to cope with current problems.

Giving us examples of this interpretation in the areas of free speech,
federalism, privacy, affirmative action, statutory interpretation, and
administrative law, Justice Breyer states that courts should take
greater account of the Constitution's democratic nature when they
interpret constitutional and statutory texts. He also insists that the
people must develop political experience as well, and obtain the moral
education and stimulus that come from correcting their own errors. His
distinctive contribution to the federalism debate is his claim that
deference to congressional power can actually promote democratic
participation rather than thwart it. He argues convincingly that
although Congress is not perfect, it has done a better job than either
the executive or judicial branches at balancing the conflicting views of
citizens across the nation, especially during times of national crisis.
With a fine appreciation for complexity, Breyer reminds all Americans
that Congress, rather than the courts, is the place to resolve policy


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine
Act, and the Federal Advisory Committee Act.  The 22nd edition fully
updates the manual that lawyers, journalists and researchers have
relied on for more than 25 years.  For those who litigate open
government cases (or need to learn how to litigate them), this is an
essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40. http://www.epic.org/bookstore/pls2004

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and international privacy law, as well
as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act.

      Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Canada-Australia Comparative IP & Cyberlaw Conference. University of
Ottawa. September 30 and October 1, 2005. Ottawa, Ontario. For more
http://web5.uottawa.ca/techlaw/symposium.php?idnt=107&v=&c=&b= Conference On Passenger Facilitation & Immigration: Newest trends in achieving a seamless experience in air travel International Air Transport Association (IATA) and Singapore Aviation Academy (SAA) October 3-5, 2005 Singapore Aviation Academy. For more information: http://www.saa.com.sg/conf_pax_fac Access & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry of Government Service’s Access & Privacy Office. October 6- 7, 2005. Toronto, Ontario. For more information: http://www.governmentevents.ca/apw2005/ State of Play III: Social Revolutions. Berkman Center for Internet and Society, New York Law School, Yale Law School. October 7-8, 2005. New York, NY. For more information: http://www.nyls.edu/pages/2396.asp Public Voice Symposium: "Privacy and Data Protection in Latin America - Analysis and Perspectives." Launch of the first Spanish version of "Privacy and Human Rights." October 20-21, 2005, Auditorio Alberto Lleras Camargo de la Universidad de los Andes, Bogota, Colombia. Organizers: Electronic Privacy Information Center (EPIC), Grupo de Estudios en Internet, Comercio Electrónico, Telecomunicaciones e Informática (GECTI), Law School of the Universidad de los Andes, Bogota, Colombia, Computer Professional for Social Responsibility-Peru (CPSR-Perú). For more information: http://www.thepublicvoice.org/events/bogota05/default.html. 6th Annual Privacy and Security Workshop. Centre for Innovation Law and Policy (University of Toronto) and the Center for Applied Cryptographic Research (University of Waterloo). November 3-4, 2005. University of Toronto. For more information: http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/announcement.html The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 12.19 ------------------------- .