EPIC logo

                           E P I C  A l e r t
Volume 13.07                                              April 06, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Federal, State Officials Object to Proposed IRS Rules
[2] Coalition Pushes for Privacy in Electronic Health Records
[3] Congress Continues to Scrutinize Warrantless Surveillance Program
[4] Federal Agency Finds Flaws in Government Use of Commercial Databases
[5] Report on Bank Privacy Notices Recommends Cosmetic Changes
[6] News in Brief
[7] EPIC Bookstore: Evan Hendricks's "Credit Scores and Credit Reports"
[8] Upcoming Conferences and Events

[1] Federal, State Officials Object to Proposed IRS Rules

Attorneys General from 46 states and the District of Columbia filed a
formal objection to proposed IRS rules that would allow businesses to
share taxpayer information more easily for marketing and other purposes.
Senator Barack Obama and privacy organizations also opposed the rule

In a letter to IRS Commissioner Mark Everson, Senator Obama expressed
concern that taxpayers often sign documents and tax forms prepared by
tax preparers without reading them. Therefore, taxpayer consent for the
disclosure of their financial data could be less than voluntary. Senator
Obama also has introduced a bill placing significant restrictions on the
disclosure of such sensitive financial information to third parties.

The attorneys general recommended a ban on sharing taxpayer information.
"We are greatly concerned that this regulation, if adopted as proposed,
will erode consumer privacy and the security of sensitive personal
information, with a consequent increase in such serious problems as
identity theft and intrusive or even abusive marketing practices," they
said. The state officials also made several proposals for minimum
safeguards that would protect privacy and stem identity theft. These
proposals are similar to ones submitted to the IRS in March by EPIC,
Privacy Rights Clearinghouse and World Privacy Forum.

In the privacy organizations' comments, they said that, though "[t]he
proposed changes to the regulations represent an important effort to
increase taxpayers' awareness of what is done with their personal
information," there are problems that must be solved to ensure adequate
taxpayer privacy. "[T]he updated regulations fail to adequately
safeguard taxpayer privacy because they neglect to protect information
once it is disclosed, allow consent that is less than voluntary, and
carry penalties that are not harsh enough to ensure tax return preparers
obey the law," the groups said.

EPIC's current Spotlight on Surveillance feature surveys other problems
at the IRS. In March, two government reports found that the agency has
poor physical and electronic security. In the Federal Computer Security
Report Card for 2005, the Treasury Department received a D-minus grade,
down from a D-plus grade in 2004. The majority of Treasury systems are
those belonging to IRS. The government-wide computer-security grade for
2005 was D-plus, while Homeland Security and Defense both received an F.

Also, the Government Accountability Office reported that weaknesses in
information security at the IRS "increase the risk that sensitive
financial and taxpayer data will be inadequately protected against
disclosure, modification, or loss, possibly without detection, and place
IRS operations at risk of disruption." Though the agency's computer
security had improved since the last assessment a year ago, the GAO
found multiple security problems. These include: IRS's physical security
controls (restricting physical access to computer facilities and
resources); software patch management; and electronic access controls
such as passwords, user rights and file permissions. The IRS also has
had considerable trouble with its contractors improperly accessing and
collecting sensitive taxpayer data. In one case, an IRS contractor spent
several months collecting political party affiliation data on taxpayers
in 20 states, in violation of the law.

Senator Obama's Bill Concerning IRS Disclosures:


Letter From Attorneys General (pdf):


Comments of EPIC, Privacy Rights Clearinghouse, and World Privacy Forum
on Proposed Regulations:


Proposed IRS Regulations (pdf):


Spotlight on Surveillance March 2006:


[2] Coalition Pushes for Privacy in Electronic Health Records

A broad coalition of 26 organizations, led by Patient Privacy Rights,
has issued a letter urging that privacy be included as a core part of
any health information technology (HIT) system. Patient Privacy Rights
was joined by the American Conservative Union, the American Civil
Liberties Union, the Free Congress Foundation, the Christian Coalition
of America, and the Electronic Privacy Information Center in the letter.

Proponents of electronic access to health records argue that a HIT
system can ease medical treatment. For instance, patients who need
treatment when far from home will benefit if doctors can access their
medical records. However, the organizations said that patients should
have the ability to grant or deny access to that information in ordinary
circumstances. "The proper balance to ensure timely access to medical
records for treatment and preserve patient control of medical records
means allowing access in emergencies if consent cannot be obtained, but
requiring patient permission before records are disclosed in everyday
situations," the groups wrote.

The organizations also stressed the need for strong security measures
for any HIT system. In light of the many security breaches reported by
commercial and financial institutions, security standards for a HIT
system must be stronger than those currently used by the financial
services industry.

The flexibility of an electronic system of health records should also
allow patients to control the levels of access for different groups. For
instance, while treating physicians may need access to personal
information like names, addresses, and phone numbers, medical
researchers conducting statistical studies would not need such

Congress is currently considering several health information technology
bills, each named the "Wired for Health Care Quality Act." Last
November, the Senate passed S. 1418, which is awaiting action in the
House. There are also two House companion bills, H.R. 4642 and H.R.

Patient Privacy Coalition Letter:


EPIC's Medical Privacy Page


Patient Privacy Rights


S. 1418:

H.R. 4642:


H.R. 4726:


[3] Congress Continues to Scrutinize Warrantless Surveillance Program

The Senate and House Judiciary Committees recently held three hearings
in which they continued to ask questions about the National Security
Agency's controversial warrantless surveillance program.

Last week, the Senate Judiciary Committee held its third hearing on the
surveillance operation, focusing on the Foreign Intelligence
Surveillance Court and the extent of executive power during wartime. The
committee heard testimony from four judges who have served on the
secretive court, all of whom endorsed a bill proposed by Senator Arlen
Specter that would require the program to be subject to the court's
oversight. Judge James Robertson, who resigned from the court shortly
after the program became public, sent a letter to the committee
expressing support for the bill.

Also testifying was David S. Kris, a former high-level official in the
Justice Department. Documents obtained by EPIC in March through Freedom
of Information Act litigation revealed Kris' skepticism that the
surveillance was permitted by the Authorization for Use of Military
Force Resolution. In one e-mail, Kris wrote that the Justice
Department's legal arguments for the program "had a slightly
after-the-fact quality or feeling to them." During his testimony, Kris
said that he believes the program violates the Foreign Intelligence
Surveillance Act, and voiced support for legislation to govern the

Last week the Senate Judiciary Committee also held a hearing on Senator
Russ Feingold's resolution to censure President Bush for authorizing the
surveillance program. Members of the House Judiciary Committee also
pressed Attorney General Alberto Gonzales for answers about the program
during a Justice Department oversight hearing on April 5.

In related news, U.S. District Court Judge Henry H. Kennedy recently
granted the Justice Department's motion for more time to process
material about the warrantless surveillance program in a Freedom of
Information Act lawsuit pursued by EPIC, the ACLU and the National
Security Archive. In February, Judge Kennedy ordered the agency to
process and release documents related to the program by March 8. The
Justice Department released some unclassified material by the deadline,
but relied on classified affidavits to press for four additional months
to process other documents. Judge Kennedy has ordered the agency to
process some records by early May, and all other material by early July.

S. 2453, National Security Surveillance Act of 2006:


EPIC's Domestic Surveillance FOIA page:


EPIC Feature: Resources on Domestic Surveillance:


[4] Federal Agency Finds Flaws in Government Use of Commercial Databases

The Government Accountability Office issued a report on April 4 stating
that government agencies and the private companies from which they buy
personal information often do not follow fair information practices in
handling individuals' data. Fair information practices are a set of
principles that ensure that individuals' personal information is handled
in a way that protects privacy. The principles include collection
limitation, which ensures that only necessary data is collected; purpose
specification, meaning that individuals are informed of the reasons data
is collected; and use limitation, which means that data is used only for
the purposes for which it was collected.

In the report, the GAO stated that the data brokers supplying government
agencies with information are fundamentally at odds with fair
information practices, as data brokers base their businesses upon
multi-purpose collection and use of personal information from multiple
sources. Furthermore, the GAO reported that data brokers generally do
not inform individuals that information is being collected about them,
or give individuals the ability to access and correct information held
by the broker.

The agencies themselves also fall short in protecting privacy when using
commercial data, since agencies frequently do not notify the public when
commercial databases are used to compile personal information into
government systems of records. The GAO also emphasized that government
agencies lack consistent policies on how to treat data bought from
commercial sources.

A representative from the Consumer Data Industry Association criticized
the GAO report, noting that many data brokers are already regulated
under the Fair Credit Reporting Act, and thus are obligated to obey fair
information practices embodied in the Act. However, though many data
brokers provide services regulated under federal laws, they will also
offer parallel services designed so that the privacy laws do not apply.

GAO Report on Agency and Reseller Use of Personal Information (pdf):


House Judiciary Committee Hearing Notice:


[5] Report on Bank Privacy Notices Recommends Cosmetic Changes

Six federal agencies charged with enforcing financial privacy laws
sponsored a report that detailed recommended changes to bank consumer
privacy notices. As part of their responsibilities, the agencies hired a
communications group to design a replacement for the often-confusing
privacy notices that banks must send to their customers under the
Gramm-Leach-Bliley Act.

The Kleimann Communication Group created a privacy notice incorporating
a more user-friendly design and a table outlining the various entities
to whom a bank may disclose information. While the study focused on the
readability of the notice, it was not asked to address the more basic
problem of consumers being able to effectively control the uses of their
information. For instance, consumers indicated that they often could not
choose banks based on privacy policies, since factors like location and
services might require them to choose banks that had weaker privacy

The study also seemed to indicate that consumers were very concerned
with the level of information sharing currently allowed by federal laws.
Many test consumers incorrectly assumed that the information routinely
shared by banks, such as Social Security information, could not be
legally shared. As test group consumers became more informed as to bank
policies, they grew less trustful of the banks. Consumers across the
country spontaneously raised the threat of identity theft and linked
increased theft risk with increased sharing.

FTC Press Release on the Report:


Copy of the Notice Report (pdf):


EPIC's Gramm-Leach-Bliley Act Page:


[6] News in Brief

United Kingdom Passes Law Paving Way for National ID Card

UK lawmakers approved a measure requiring Britons applying for passports
before January 2010 to get an identity card. A Briton can opt out, but
if he does, he will be put into a national database. This is a
compromise measure passed after five rejections of a bill that would
have made the cards mandatory for all residents of Britain. The cards
would store biometric data such as digital iris images or fingerprints.
A report by leading academics from the London School of Economics said
that the ID scheme will be costly, inefficient, and easily subverted.

London School of Economics Report (pdf):


EPIC's National ID Cards and REAL ID Act page:


Pentagon Ends Effort to Withhold Images of Abu Ghraib Abuse

The Defense Department has dropped its challenge to a court decision
ordering the release of photos and videos depicting American troops
abusing detainees at Abu Ghraib prison. According to an agreement
reached by the Pentagon and ACLU, the Defense Department will
authenticate photos of abuse that have already been posted by Salon.com,
and disclose any additional images that are not yet public. The Defense
Department had refused to release the information under the Freedom of
Information Act, claiming that such disclosure would "endanger the life
or physical safety" of U.S. soldiers in Iraq. Last month, EPIC and the
National Security Archive filed a "friend of the court" brief in the
case, which argued that the government's claims undermine the Freedom of
Information Act's purpose of promoting open, honest and accountable

Amicus Brief Filed by EPIC and the National Security Archive (pdf):


District Court Decision in ACLU v. Department of Defense (pdf):


ICANN Again Puts Off .xxx Domain Decision

The Internet Corporation for Assigned Names and Numbers (ICANN) again
declined to move toward creating a ".xxx" top-level domain for adult
content. At its 25th International Meeting in Wellington, New Zealand,
the company, which determines policy for assigning domain names to
Internet protocol addresses, delayed the plan, ostensibly to address
concerns that the company applying to administer the domain met certain
requirements. ICANN had "indefinitely" delayed decision on the .xxx
domain in December, and had rejected calls for the domain five years
ago. Some critics of the proposed domain feel it legitimizes the
existence of pornography, while free-speech advocates say that it would
encourage censorship without preventing unwanted access to adult

ICANN home page:


Not Just Google: ISPs, Software Companies Subpoenaed by Justice Dept.

Documents uncovered by InformationWeek and the New York Sun through the
Freedom of Information Act reveal that the Justice Department demanded
records from at least 34 other Internet companies and software producers
in its attempts to defend the Child Online Protection Act, an Internet
censorship law blocked as unconstitutional by the Supreme Court in 2004.
Companies were told to provide demographic information about their
users, the types of filtering software that they offered, and any
studies that evaluated the effectiveness of filters or the number of
pornographic sites on the Web. The Justice Department intende to use
this information to argue that filters are an ineffective alternative to
the Child Online Protection Act, which would make it a criminal offense
for anyone to post adult material on the web, unless the website first
collects personal information proving that users are not minors.

InformationWeek's Archive of Justice Department Subpoenas:


EPIC's Child Online Protection Act Page:


EPIC Testifies on CA Pretexting Legislation
Legislation that would impose a blanket ban on "pretexting" sailed
through the California Senate Judiciary Committee yesterday. The bill,
SB 1666, sponsored by Senator Bowen (D-Redondo Beach) would prohibit any
person from using pretexting, soliciting pretexting services, or from
knowingly purchasing information obtained through pretexting. In
testimony before the Committee, EPIC argued that a broad ban on
pretexting was necessary to address data brokers who use the practice
against automobile navigation companies, dating websites, and employers.
SB 1666:
EPIC Testimony on SB 1666:
EPIC Illegal Sale of Phone Records Page:


EPIC Comments on Canadian Do-Not-Call Registry
Canadians will soon enjoy a telemarketing Do-Not-Call List, as the
country's Radio-Television and Telecommunications Commission (CRTC) has
started a proceeding to tighten telemarketing regulations. EPIC provided
comments to the body, urging it to adopt a consumer-friendly approach to
the list. Specifically, EPIC argued that the Federal Trade Commission's
Do-Not-Call framework was a remarkable success because it covered all
sectors of telemarketers (except non-profits and politicians), was free
for consumers, and was simple to sign up. EPIC argued that the CRTC
should remove a special-interest exemption for newspapers, and that an
exemption for "established business relationships" exemption should be
narrowed to fit consumers' expectations of when a transaction can give
rise to telemarketing. Anyone may comment on the proceeding until May
10, 2006
Canadian Radio-Television Do-Not-Call Page:
EPIC Comments on Canadian Do-Not-Call:

EPIC, EFF Comment on San Francisco Wifi Proposals
EPIC and the Electronic Frontier Foundation have submitted an analysis
of six proposals to provide San Francisco with wireless municipal
broadband. The proposals come in response to the city's "TechConnect"
initiative, which seeks to bridge the digital divide by providing all
San Franciscans with free or low-cost broadband. EPIC and EFF specified
that a privacy-friendly network would promote anonymity by allowing
access without "signing in," by allowing a level of free access to avoid
identification through payment, and by limiting targeting and profiling
for commercial purposes.
Privacy Analysis of the Competing Wifi Proposals:

[7] EPIC Bookstore: Evan Hendricks's "Credit Scores and Credit Reports"

Evan Hendricks. "Credit Scores and Credit Reports: How the System
Really Works, What You Can Do" (Privacy Times, 2005).


"Whether we like it or not, the credit score is emerging as the most
important "number" in the financial lives of American consumers. The
FICO score is often the major factor in determining how much consumers
pay for mortgages, refinancing, auto loans and credit cards, as well as
for auto or homeowners insurance.

Despite its importance, credit scoring began as a secret system, and has
been shrouded in mystery ever since. In addition, there is little
understanding of the credit reporting system, which holds financial
histories on 210 million Americans and is the source of data for
calculating credit scores. One problem: the credit reporting system has
a long history of inaccuracy.

Through careful research and precise writing, Credit Scores & Credit
Reports, allows consumers to understand how these systems actually work,
and what they can do to improve their FICO scores. Importantly, the book
also describes how the system sometimes doesn’t work, and how hundreds
of thousands ­ if not millions ­ of consumers have been frustrated in
their efforts to correct errors in their credit reports."


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining,and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

First International Conference on Availability, Reliability and
Security. Vienna University of Technology. April 20-22, 2006. Vienna,
Austria. For more information:

Third International Conference on Security in Pervasive Computing.
University of York. April 19-20, 2006. York, United Kingdom. For more

Access to Knowledge Conference. Yale Information Society Project.
April 21-23, 2006. New Haven, Connecticut. For more information:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC Irvine
Institute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

The First International Conference on Legal, Security and Privacy Issues
in IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For more

Computers, Freedom, and Privacy Conference (CFP 2006). Association for
Computing Machinery May 2-5, 2006. Washington, DC. For more information:

Conference on Data Protection and Security: A Transnational Discussion.
International Association of Young Lawyers. May 5-6, 2006. Washington,
DC. For more information:

Call for papers for the CRCS Workshop 2006: Data Surveillance and
Privacy Protection. Center for Research on Computation and Society. June
3, 2006. Cambridge, Massachusetts. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.07 -------------------------