EPIC logo

                           E P I C  A l e r t
Volume 13.03                                           February 10, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] FCC Grants EPIC Petition on Protecting Telephone Records
[2] EPIC Seeks Spy Documents in Federal Court
[3] EPIC Testifies Before Congress on Illegal Record Sales
[4] Secure Flight Placed on Standby
[5] Federal Budget Pumps Money Into Surveillance Projects
[6] News in Brief
[7] EPIC Bookstore: Robert Sherrill's "First Amendment Felon"
[8] Upcoming Conferences and Events

[1] FCC Grants EPIC Petition on Protecting Telephone Records

On February 10, the Federal Communications Commission announced a formal
rulemaking to create rules strengthening the security of consumers'
phone records. This action grants EPIC's August 2005 petition, which was
filed out of concerns that consumer records were too easily being
acquired and sold online. Data brokers are thought to obtain the
information either by taking advantage of lax authentication methods
(otherwise known as “pretexting”) or by bribing insiders for

"I am deeply concerned about reports of companies trafficking in
personal telephone records," said Kevin Martin, Chairman of the
Commission. Commissioner Jonathan Adelstein agreed, saying, "Telephone
companies are required to have firewalls in place to protect consumers'
private information but instead these records are blazing all over the

The Commission is asking for comment addressing five specific
recommendations made by EPIC in its 2005 petition, including the
creation of consumer-set passwords; tracking who within the companies
views and transfers customer data; encrypting consumer data; limiting
the information collected and retained; and notifying consumers when a
breach of data has occurred.

Industry representatives were resistant to the idea of further
regulation last year, but since then, major news coverage of the
vulnerability of cell records has placed additional pressure on
communications providers. At a hearing held before a Senate
subcommittee, industry spokesman Steve Largent admitted that better
training and baseline authentication standards were necessary to better
protect consumers' records.

The FCC has taken additional action against poor security standards,
recently fining AT&T and Alltel for failing to comply with existing
security rules. The Text of the proposed rulemaking should be available
next week.

EPIC's Petition to the FCC:


FCC Press Release on Rulemaking:


EPIC's Illegal Sale of Phone Records Page:


[2] EPIC Seeks Spy Documents in Federal Court

This week, the Senate Judiciary Committee heard a full day of testimony
from Attorney General Alberto Gonzales on the National Security Agency's
warrantless surveillance program.  The Attorney General reiterated
earlier Administration arguments about the purported legality of the
program, but would not discuss operational details.

Despite repeated requests, the Administration has refused to provide
Congress or the public with legal opinions or other documents concerning
the controversial program.  Next Wednesday, the House Judiciary
Committee will vote on resolutions that would direct the Attorney
General to turn over materials related to the program to the House of

In a related development, U.S. District Judge Henry Kennedy heard oral
arguments this morning on EPIC's request for an emergency order
requiring the Justice Department to release documents about the program
within 20 days.  EPIC filed a Freedom of Information Act lawsuit against
the agency last month, stating that the Justice Department agreed to
give EPIC's Freedom of Information Act requests priority treatment, but
has failed to process them even within the FOIA's usual time limit of
twenty working days.  The American Civil Liberties Union and National
Security Archive have filed a similar lawsuit, which Judge Kennedy
consolidated with EPIC's case.

Though he has not yet ruled on EPIC's motion, Judge Kennedy suggested
that a failure by the Justice Department to release the documents
quickly will cause irreparable harm to EPIC and the public.  EPIC has
argued in court papers that such a failure would make it impossible for
EPIC and the public to participate in the debate on the controversial
program -- a debate which "cannot be based solely upon information that
the Administration voluntarily chooses to disseminate."

Earlier this week, EPIC also filed a second FOIA lawsuit for documents
related to the program against the National Security Agency.

Transcript of the Senate Judiciary Committee Hearing on the National
Security Agency's Warrantless Surveillance Program:


EPIC's Complaint Against the Justice Department (pdf):


EPIC's Motion for a Preliminary Injunction (pdf):


EPIC's Complaint Against the National Security Agency (pdf):


EPIC's NSA Warrantless Surveillance FOIA Page:


[3] EPIC Testifies Before Congress on Illegal Record Sales

Two Congressional committees held hearings this month on the illegal
sale of consumers' communications records.  EPIC Executive Director Marc
Rotenberg testified before both the House Energy and Commerce Committee
and the Senate Commerce Committee's Subcommittee on Consumer Affairs. 
“A ban on the sale of these records will dry up the market for illegally
obtained records,” Rotenberg said.

EPIC also called for a end to “pretexting,” the major practice by which
data brokers acquire consumer records.  Pretexters will misrepresent
themselves, often posing as the customer, in order to gain access to the
customer's records.  “A ban on pretexting would make unmistakably clear
the fact that such practices are unfair, deceptive, illegal, and wrong,”
said Rotenberg.

Lawmakers were eager to take action against the sale of
telecommunications records, and already, two bills have been introduced
in the Senate, and two in the House, to address the problem.  At least
two more bills are expected to emerge in Congress soon.  Some of the
bills focus upon making the commercial sale of call information illegal,
while others ban the pretexting of phone records.

However, privacy advocates indicated that these were only first steps in
solving the problem.  Robert Douglas, CEO of PrivacyToday.com and a
former private investigator, indicated that more than just phone records
were at stake, noting that pretexting is used to obtain a wide variety
of private consumer information.  Some of this information includes the
identities of email account holders, P.O. Box owners, and the identities
of those using online dating services.

EPIC also warned that the communications companies who hold the
information must secure the information they collect, as well as to
limit the amount of information stored.  Rotenberg emphasized that those
who store consumer information have a responsibility. “The idea is
simple: if you can't protect it, don't collect it,” he said.

EPIC Testimony Before House (pdf):


EPIC Testimony Before Senate:


EPIC's Illegal Sale of Phone Records Page:


Privacy Today Home Page:


[4] Secure Flight Placed on Standby

On February 9, the head of the Transportation Security Administration
told a congressional committee that Secure Flight has been suspended for
a comprehensive review of the program's information security measures.
Testimony from the General Accountability Office revealed that TSA
approved Secure Flight to become operational in September, despite
inconclusive risk assessments and 144 known security vulnerabilities. 
"TSA may not have proper controls in place to protect sensitive
information," the GAO said.

The Secure Flight program was introduced a successor to the
now-abandoned second generation Computer Assisted Passenger Prescreening
System (CAPPS II). Many of the problems with CAPPS II that led to its
demise continued to plague Secure Flight in its test phase. The
controversial program has been the focus of two government
investigations and is conducting an internal audit of its procedures. 
There is no deadline for the completion of the current audit.

EPIC has criticized the Secure Flight program in the past for secretly
obtaining passenger information in violation of federal privacy law, as
well as its initial efforts to use inaccurate commercial data in making
passenger threat determinations.

In addition to criticizing Secure Flight's lack of privacy safeguards
and security vulnerabilities, the GAO also noted that the documents
underlying the program "contained contradictory and missing

EPIC testified before a House committee in November 2005 about the
Registered Traveler program, a similar effort to profile airline
passengers, and warned that there were significant problems with data
accuracy, as well as ongoing concerns about the compliance with the
Privacy Act and the risk of mission creep.

GAO Report on Secure Flight (pdf):


EPIC's Secure Flight Page: 


EPIC Testimony on Registered Traveler, Nov. 3, 2005 (pdf):


[5] Federal Budget Pumps Money Into Surveillance Projects

President Bush's proposed $2.77 trillion budget for Fiscal Year 2007
increases spending on surveillance projects while making substantial
cuts in education, housing, and farm programs. This is 2.3 percent
increase over projected spending for Fiscal Year 2006. President Bush
had requested $2.57 trillion, but spending is projected to total $2.71

The Department of Homeland Security has requested $42.7 billion, a 6
percent increase from FY 2006. Of this, the US-VISIT border program
would receive $399.5 million, an increase of $62.9 million. Most of the
increase will go toward the expansion of US-VISIT's fingerprint system;
it will now capture all 10 fingerprints instead of two.

DHS's budget request also includes $3.96 million for the Office of
Screening Coordination and Operations. This amount is significantly
lower than its $847 million request last year, reflecting the decision
not to combine eight different screening programs under the office,
instead funding each program separately. The current budget request
states that the money will be used to set common standards for
government screening as well as for Registered Traveler screening
programs run by private companies. Participants in the programs must
provide iris scans and fingerprints and pass a background check by the
Transportation Security Administration. It is unknown what percentage of
TSA's $6.3 billion request would pay for these background checks, which
each cost $30 to $50. EPIC's October 2005 Spotlight on Surveillance
report found that Registered Traveler had significant security and
privacy problems.

However, several homeland security programs were apparently slated for
cuts under the President's Management Agenda.  In a speech earlier this
week, President Bush explained the program: "We ask federal managers to
achieve good results at reasonable costs, and we measure them. The point
is, is that if they can't prove they're achieving good results, then the
programs, in my judgment, ought to be eliminated and/or trimmed back."
Included in the list of programs that have been deemed "not performing"
are: Transportation Security Administration's Air Cargo Security
Programs, Baggage Screening Technology, Federal Air Marshal Service,
Passenger Screening Technology programs, the Border Patrol, and the
Coast Guard's Drug Interdiction program.

The Government Printing Office's Web page on the Fiscal Year 2007


Department of Homeland Security's Budget in Brief Fiscal Year 2007


Government Web site listing "not performing" federal programs:


President Bush's Feb. 8, 2006 speech discussing 2007 budget:


[6] News in Brief

Focus on Medical Privacy Threats Intensifies

Consumer activists and health professionals alike are increasing their
focus upon the threats that a national electronic health records system
might have to patient privacy. Consumer Reports and Health Management
Technology have both published articles outlining the dangers of a
national network implemented without any privacy protections, including
health information being shared with marketers or with employers, who
could take adverse action against employees based upon medical records.
Errors in medical records would also be more spread faster and farther
in an online environment. Those concerned about a national network being
built without any privacy safeguards should sign the online petition at

"I Want My Medical Privacy" Petition:


Patient Privacy Rights


Consumer Reports on Medical Privacy Threats:


Health Management Technology on the National Health Information Network:


Centers for Disease Control Urged to Limit Passenger Data Collection

EPIC said in comments to the Centers for Disease Control and Prevention
that it should limit a proposed rule that would require airline and
shipping industries to gather passenger information, maintain it
electronically for at least 60 days, and release it to the CDC within 12
hours of a request. EPIC urged the CDC collect only necessary data and
to set strict security standards to keep passenger data secure from
unauthorized access and misuse. The CDC also should require the clear
and open disclosure that travelers can refuse to submit their
information without facing penalties, EPIC said.

EPIC's Comments to the CDC (Jan. 30, 2006) (pdf):


The Proposed CDC Rule:


EPIC's Medical Privacy page:


Federal Appeals Court Upholds Travel ID Requirement

A federal appeals court has dismissed a lawsuit about federal airport
regulations requiring passengers to show identification before they
board planes. John Gilmore, co-founder of the Electronic Frontier
Foundation, sued the Bush administration, which claims that the ID
requirement is necessary for security but has not publicly identified
any actual regulation requiring it. A unanimous three-judge panel said
the policy did not violate due process because the law was not a
criminal law, and passengers are fully informed about the policy. The
court also said that passengers have a "meaningful choice." A passenger
"could have presented identification, submitted to a search, or left the
airport," the court said.

Ninth Circuit Court of Appeals Opinion about Gilmore v. Gonzales (pdf):


EPIC's National ID and REAL ID Act page:


Key Privacy Concessions Gained in UK National ID Plans

In the United Kingdom, the House of Lords recently amended plans for a
national ID card to include important privacy protections. According to
the amendments, the card would be voluntary, and not a requirement for
UK residents. In addition, the government must conduct a study detailing
the cost of the scheme, and must provide adequate security for stored
data. While Home Office officials have agreed to conduct a study every
six months, they continue to oppose a voluntary ID. The legislation on
the national ID card returns to the House of Commons on February 13.

Privacy International on National ID Cards:


EPIC's National ID and REAL ID Page


Lawmakers Criticize Tech Companies' Speech Crackdown in China

Members of Congress recently accused four major US Internet companies,
Microsoft, Yahoo, Cisco Systems, and Google, of helping the Chinese
government block certain online information to its citizens by providing
it with surveillance and filtering tools.  Yahoo has been further
criticized for its role in helping Chinese authorities identify
dissidents who posted information on the Web through Yahoo. Two such
identified dissidents were arrested and sentenced to prison terms of 8
and 10 years. Chinese authorities strictly enforce laws that limit
Internet use and censor specific information such as references to
dissidents. The four companies are scheduled to testify at hearings
before the U.S. House of Representatives on February 15.

Hearing Notice:


House Subcommittee on Africa, Global Human Rights, and International Operations:


EPIC's Free Speech Page:


Face and Fingerprints Swiped in Dutch Biometric Passport Crack

A Dutch TV program recently revealed that the Dutch RFID-enabled
biometric passport was cracked in the summer of 2005 by smartcard
security specialist Riscure. Due to an poorly implemented encryption key
scheme, eavesdroppers could record the conversation between an RFID
reader and the passport and later decrypt the contents of the
conversation. The passport holder's biometric data was decrypted on a
standard PC in about 2 hours. Many other countries, including the United
States, are moving ahead with plans to include RFID technology in

EPIC Resources on RFID:


Register Story on the Passport Hack:


Acxiom Proposed Massive Internet-Scanning System

Documents obtained by EPIC from the Department of Justice under the
Freedom of Information Act show that commercial data broker Acxiom
proposed a system to automatically scan the Internet and identify
websites "belonging to advocates of extremist views and actions..." The
plan proposed to extract personal information from websites and use it
“to establish possible connections between extremist groups" and to
collect data for an "Identity Verification System to be used by
airlines, rental car agencies, and other business and government
agencies." Prior releases of FOIA documents showed that Acxiom was
considered as a source of data for the Total Information Awareness
program. The $1,000,000 proposal was submitted to the Justice Department
through Representative Vic Snyder (D-AR) on behalf of Acxiom and
University of Arkansas's Department of Computer Science. It is unclear
whether the proposal was ever funded.

Acxiom FOIA Documents (pdf):


EPIC Commercial Data Broker Page:


Verichip RFID Implant Cloned

Programmer Jonathan Westhues has recently proved that the Verichip
implantable RFID chip can be easily copied.  Anybody capable of
purchasing off the shelf electronics equipment and reading the
description below can now impersonate the bearer of the chip and gain
access to their medical records, among other things.  As Verichip has
marketed their chip as a means of managing access control to buildings
and medical records, this represents a significant threat to their
bearer's privacy and security.

For more information about the Verichip, see EPIC's Verichip Page:


Westhues' Page  on How to Clone a Verichip: 


[7] EPIC Bookstore: Robert Sherrill's "First Amendment Felon"

EPIC Bookstore: Robert Sherrill's “First Amendment Felon”

First Amendment Felon: The Story of Frank Wilkinson, His 132,000-Page
FBI File, and His Epic Fight for Civil Rights and Liberties, Nation
Books, 2005.


The story of Frank Wilkinson, who passed away just last month, is one
that needs to be told, in order to remind us that fear and political
opportunism are often the greatest threats to free speech.  Robert
Sherrill's account of Wilkinson's various struggles with J. Edgar
Hoover's FBI and with the House Un-American Activities Committee
provides just such a pertinent reminder. When called before HUAC in
1958, Wilkinson refused to answer questions about his political
affiliations, citing not the Fifth Amendment, but the First.  When he
lost his Supreme Court appeal in 1961, he was jailed for nine months for
contempt of Congress. Upon his release, he campaigned for the abolition
of HUAC, finally succeeding in 1975.

Sherrill's book provides wide-ranging and vivid context for its subject,
covering Wilkinson's college years through his 1975 vindication, but the
author's perspectives and allegiances are clear. This does not, however,
diminish the facts of Wilkinson's defiance. Make no mistake--this is a
political book, written with an eye on the parallels between the
climates of suspicion both then and now.

--Sherwin Siy


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers and
the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several governments
are gaining new powers to combat the perceived threats of encryption to
law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Call for papers for the Workshop on Generating Collaborative Research in
the Ethical Design of Surveillance Infrastructures.  The deadline for
proposals is March 1, 2006. For more information:

IAPP National Summit. International Association of Privacy
Professionals. Washington, DC. March 8-10, 2006. For more information:

Call for papers for the 34th Research Conference on Communication,
Information, and Internet Policy. Telecommunications Policy Research
Conference. Proposals should be based on current theoretical or
empirical research relevant to communication and information policy, and
may be from any disciplinary perspective. Deadline is March 31, 2006.
For more information:

Beyond the Basics: Advanced Legal Topics in Open Source and
Collaborative Development in the Global Marketplace. University of
Washington School of Law. March 21, 2006. Seattle, Washington. For more

Making PKI Easy to Use. National Institutes of Health. April 4-6, 2006.
Gaithersburg, Maryland. For more information:

First International Conference on Availability, Reliability and
Security. Vienna University of Technology. April 20-22, 2006. Vienna,
Austria. For more information:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC Irvine
Institute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

The First International Conference on Legal, Security and Privacy Issues
in IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For more

Computers, Freedom, and Privacy Conference (CFP 2006). Association for
Computing Machinery May 2-5, 2006. Washington, DC. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Oshawa, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.03 -------------------------