EPIC logo

                           E P I C  A l e r t
Volume 13.16                                             August 10, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Key Congressman Doubts DHS Privacy Officer's Qualifications
[2] Non Commercial Users Urge Privacy for WHOIS before IGF
[3] $50 Million Verdict for Violating Drivers' Privacy in FL
[4] GAO: Current Laws Don't Protect Info Held by Data Brokers
[5] RFID Passport Hacked
[6] News in Brief
[7] EPIC Bookstore: Steve Posner, "Privacy Law and the USA PATRIOT Act"
[8] Upcoming Conferences and Events

[1] Key Congressman Doubts DHS Privacy Officer's Qualifications

Representative Bennie Thompson, Ranking Member of the House Homeland
Security Committee, wrote to Michael Chertoff, head of the Department of
Homeland Security to criticize Chertoff's selection of Hugo Teufel to be
the Department's new Privacy Officer.

Thompson begins by noting the importance of the Privacy Officer's role,
ensuring that Homeland Security programs do not abridge privacy rights.
Such oversight not only protects individuals, Thompson said, but it
prevents government waste. "As demonstrated by the CAPPS II and Secure
Flight debacles, failing to consider privacy during the early stages of
programs can cost hundreds of millions of taxpayer dollars and harm
public trust."

Because of the importance of this, role, Thompson says, Congress indeed
the Chief Privacy officer be "a qualified and experienced privacy
expert." Nuala O'Connor Kelly, the first DHS Privacy Officer, is praised
by Thompson for her privacy experience in the private sector and at the
Department of Commerce. Her immediate successor, Maureen Cooney, is also
complemented for her privacy work at the Federal Trade Commission and as
O'Connor Kelly's Chief of Staff. "Both [O'Connor Kelly and Cooney] are
respected among government, private sector, and privacy experts and
brought credibility to the position. They did so by putting their
responsibility to advocate for the American people and their privacy
rights ahead of pleasing the Departmental leadership."

By contrast, Thompson notes that Teufel previously served as an
Associate General Counsel at Homeland Security, where he would have
acted as an advocate for the Department. "It is hard to envision Mr.
Teufel directly challenging the same policies he has vigorously
protected and promoted as would need to be done, at times, by a Chief
Privacy Officer," Thompson wrote. "Even a casual observer could foresee
a conflict between his previous tenure at the Department and his current

Thompson also provides particular anecdotes in support of his doubts.
During a Congressional investigation of alleged contract rigging at the
Department, Teufel directed his staff to turn over documents about a
contractor to Congress. These documents, irrelevant to the
investigation, included personal information, such as individual
employees' names, Social Security Numbers, and drivers license numbers.
"Neither Mr. Teufel nor his staff ever indicated to Committee staff that
he had reservations about sharing this information or even suggested
that the Social Security Numbers of contractor employees and applicants
be redacted," wrote Thompson.

Finally, Thompson pointed out weaknesses in the Privacy officer position
itself, noting that he and other members of Congress doubted the
independence of the office. "By having the Chief Privacy Officer report
directly to the Secretary [of Homeland Security], rather than to
Congress, that individual's ability to be an independent assessor of the
Department's progress is diminished. It is sure to be difficult for the
Privacy officer to act as an independent watchdog, in a manner similar
to how the Inspector General operates, when he or she is a political
appointee whose work must be approved [by the Secretary]."

Rep. Thompson's Letter to Homeland Security Secretary Chertoff (pdf):


Office of the Chief Privacy Officer of DHS:


[2] Non Commercial Users Urge Privacy for WHOIS before IGF

Non-commercial users within ICANN, the corporation that manages the
global domain name system, have urged the Internet Governance Forum
(IGF) to protect privacy in the WHOIS database. A statement from the Non
Commercial Users Constituency (NCUC) highlighted the dangers presented
by having the personal contact information of every domain name holder
disclosed over the Internet.

The IGF, created out of the 2005 meeting of the UN-endorsed World Summit
on the Information Society, seeks to make recommendations to the
international community on the broad issues of Internet governance. The
first meeting of the IGF is scheduled for September 30 through October
2, 2006, in Athens, Greece.

The WHOIS database contains the personal contact information of anyone
who registers a domain name. When a user decides to register a domain
name, he is usually asked for his name, address, email address, and
phone and fax numbers. The user must also provide the complete contact
information for a technical contact and an administrative contact.  In
the case of individuals or small organizations, the registrant himself
is often the administrative contact, providing his own home address and
telephone number. If a user does not provide his name or address, or
complete contact information for the technical and administrative
contacts, his domain name may be taken away. All of this information is
then published in the WHOIS database for anyone to access.

The NCUC statement objects to this current policy, which it says
violates the privacy rights of individuals who register domain names.
The statement notes not only the harms that users may be subject to
(such as stalking, spamming, and harassment), but also that ICANN's
current WHOIS policy may violate international laws and the privacy
rights espoused by the UN's Universal Declaration of Human Rights. The
statement notes that, by denying domain holders the ability to speak
anonymously, freedom of expression is chilled, especially for dissidents
within speech-oppressive regimes. The volume and detail of information
published in WHOIS also paces domain name holders at risk for spamming
and phishing attempts that can contribute to identity theft.

EPIC is a member of the NCUC, and has participated in many policymaking
processes on WHOIS, most recently testifying before a U.S. congressional
subcommittee on the privacy threats created by the database.

Non Commercial Users Constituency Statement (pdf):


IGF 2006 Site:


EPIC's WHOIS page:


EPIC's Testimony before Congressional Subcommittee on WHOIS (pdf):


[3] $50 Million Verdict for Violating Drivers' Privacy in FL

After years of litigation, a Florida bank was required to pay $50
million in a class-action settlement resulting from violations of
federal privacy law. Fidelity Federal Bank & Trust of West Palm Beach,
FL, purchased 656,600 names and addresses from the Florida Department of
Highway Safety and Motor Vehicles, for a penny per name. Fidelity
Federal used this information to send unsolicited auto loan brochures to
Florida residents.

The purchase violated the Drivers Privacy Protection Act, a 1993 law
passed after it was shown that stalkers and other criminals had used
motor vehicle records to locate their victims. The law requires that a
state DMV must obtain a driver's opt-in consent before releasing
personal information for marketing purposes. The Florida DMV, however,
sold the information to Fidelity Federal without the drivers' consent.
The Drivers Privacy Protection Act allows individuals to recover either
the actual damages caused by the breach, or $2,500.

A class of the affected drivers sued in federal court, while Fidelity
Federal argued that, since the plaintiffs had not proven actual damages,
they were not entitled to any recovery. After losing in federal district
court, the plaintiffs appealed successfully to the Eleventh Circuit
Court of Appeals in 2005. Earlier this year, the Supreme Court refused
to alter the Eleventh Circuit's decision, and the suit, which could
potentially have cost Fidelity Federal $1.4 billion, was allowed to go
forward. The current settlement ends the suit, although the Palm Beach
Post reports that Fidelity Federal may consider action against the state
of Florida. The Post also reports that suits against data brokers who
illegally purchased DMV records are also in the works.

EPIC filed a "friend of the court" brief in favor of the plaintiffs
before the Eleventh Circuit, arguing that the $2,500 penalty provided a
necessary incentive for both states and private entities not to deal in
drivers' personal information. Quantifying and proving in court the
actual damages that result from breaches of information is often
difficult for individuals, since harms from identity theft or other
fraud can easily occur long after the initial breach. It is also often
difficult to trace the source of fraud or identity theft to any one
individual breach.

EPIC's Kehoe v. Fidelity Federal Bank and Trust page:


Supreme Court Denial of Certiorari (pdf):


Palm Beach Post Story on Settlement:


[4] GAO: Current Laws Don't Protect Info Held by Data Brokers

A report recently released by the Government Accountability Office shows
that existing laws do not require data brokers to protect sensitive
personal information. Currently, a patchwork of federal laws apply to
particular types of businesses, or databases used only for particular
purposes. The Gramm-Leach-Bliley Act, for instance, only applies to
information obtained by or from specific financial institutions, while
the Fair Credit Reporting Act only applies to information when it is
used to make certain decisions, such as whether to offer credit or

The GAO found that, because of these restrictions, data brokers that
profit from buying and selling the personal information of individuals
are often not required to take minimal steps to safeguard individuals'
personal information. The GAO Therefore recommended that Congress
require data brokers to safeguard this information adequately, and give
the Federal Trade Commission authority to enforce such regulations.

Several bills have been proposed in recent months that would create more
stringent data security requirements for data brokers and other holders
of personal information, though many would also have eliminated stronger
state protections, and prevented state authorities from enforcing the

Studies in Canada and the United Kingdom also highlight the privacy
risks created by insecure handling of personal information. The Canadian
Internet Policy and Public Interest Clinic (CIPPIC) has released two
reports on data protection in the private sector. One surveyed several
dozen online retailers to test their compliance with Canadian privacy
laws, and found "widespread non-compliance" in key areas. Retailers
often did not clearly state what they would do with consumers'
information, or were misleading about their practices. For instance, a
number of policies stated they would not share information without the
consumers' express consent, but then assumed that the consumer had given
consent unless the consumer explicitly opted out. Companies also largely
failed to respond adequately, if at all, to consumer requests to access
their own personal information.

Another CIPPIC study traced the means by which consumer information
makes its way into the hands of data brokers. Not only do specialized
data brokers collect this information from surveys and contests, but a
number of different entities also sell this information to brokers.
CIPPIC's list of data sellers included "magazines, newspapers, mail
order retailers, email and other subscription services, travel agencies,
product manufacturers (via registration/warranty cards), online
educational and information services, and payment processing companies."

A report by the Information Commissioner to the UK Parliament revealed
even more sinister "systematic breaches in personal privacy that amount
to an unlawful trade in confidential personal information."  The report
documents the various abuses and crimes made possible by data brokers
who use fraud and corrupt insiders to obtain personal information
illegally. Among the customers of such illegal services were
journalists, debt collectors, local authorities, stalkers, fraudsters,
and other criminals. The Commissioner recommended increased penalties
for the purchase or sale of personal data, as well as revoking the
license of any private investigator cautioned or convicted for a

GAO Report on Data Broker Regulation (pdf):


CIPPIC Report on Data Brokers:


CIPPIC Report on Compliance with Data Protection Laws:


UK Information Commissioner's Report:


EPIC's Data Brokers Page:


[5] RFID Passport Hacked

A security researcher in Germany has shown that he can clone the radio
frequency identification (RFID) tags that the United States and other
countries will be placing in passports later on this year. Lukas
Grunwald, at the Black Hat security conference in Las Vegas,
demonstrated that he could, with readily available technology, access
the information on the RFID chip, copy it, and place it onto another
document containing another RFID chip.

RFID chips will transmit the data contained within them when triggered
by a radio signal. This allows them to be read remotely. The technology
is scheduled to be placed in all U.S. passports by October of this year.
Government officials have stressed that the passports will be protected
from surreptitious cloning because the cover of the passport will block
signals from reaching the RFID chip. However, the chip can still be read
remotely and surreptitiously when the cover is opened--either by the
passport holder or by anyone to whom the passport has been shown.

The shielding on an RFID-equipped passport also eliminates an oft-touted
benefit of RFID technology--that the chips can be read more quickly and
without the need for human inspection. If legitimate passports can be
easily cloned, then the information contained within the chip must still
be verified against the holder and against the information printed on
the document--a process no faster than the current one.

These criticisms of the technology have already been raised by the
Department of Homeland Security, in a draft report released in June. In
that report, a subcommittee within the Department states that RFID
should not generally be used for identifying individuals, since it
"increases risks to personal privacy and security, with no commensurate
benefit for performance or national security." The report also notes
that carrying a remotely-readable document can erode anonymity, and
privacy. Even if a document is encrypted, the mere presence of an
unshielded RFID chip can indicate the type of document carried (such as
a U.S. passport) and thus reveal information about those nearby (that
someone in the vicinity is a U.S. citizen). Similar risks and
vulnerabilities were raised by the Government Accountability Office in
May 2005.

DHS Draft Report on RFID Vulnerabilities (pdf):


GAO Report on RFID Risks (pdf):


EPIC's RFID page:


[6] News in Brief

Court Strikes Down Voter ID Check in Washington

A federal district court in the state of Washington blocked a new law
that would prevent citizens from registering to vote if there were any
discrepancies between a voter's name and the data in a Social Security
Administration or Department of Labor database. The court ruled that the
matching requirement placed an impermissible burden on voters,
especially when an error or omission could easily result in a mismatch
when the applicant was still actually eligible to vote.  The court also
held that the comparison violated the requirements of the Help America
Vote Act, which requires matching only after voter registration, and
only then as an administrative safeguard to store and maintain the list
of voters, not as a restriction on voter eligibility.

Court's Opinion in Washington Association of Churches v. Reed (pdf):


EPIC's Voting Page:


Another Major Flaw in Diebold Voting Machine

The Open Voting Foundation discovered that a model of Diebold voting
machine could be subverted with the flick of a switch. The nonprofit
organization reported that, when a panel is removed with a screwdriver
and a switch is flipped, the Diebold TS voting machine will
automatically run whatever software is present on a flash drive attached
to the machine. The flaw is such that the change could be reversed after
the machine had been tampered with, leaving auditors with no evidence of
the breach.

Open Voting Foundation:


EPIC's Voting Page:


GAO Releases Report on FOIA Compliance 

A report issued by the Government Accountability Office found that more
Freedom of Information Act requests are being delayed than before. The
report indicates that the number of pending requests carried over from
year to year has increased by 24% since 2004, rising to about 200,000 in
fiscal year 2005. The number of requests received (a total of 2.6
million) increased only 2.5% over 2004. The report also showed that
several agencies did not create measurable plans for reducing their
backlogs, despite an executive order requiring this. Among those
agencies were the Department of Commerce, the Department of Defense, and
the Department of Veterans Affairs.

GAO Report:


EPIC's FOIA Notes:


DHS Plans to Fingerprint Permanent Residents

The Department of Homeland Security recently proposed new rules greatly
expanding the number of people who would be required to submit
fingerprints to the US VISIT program. The expanded program would collect
fingerprints from legal permanent residents, refugees seeking asylum in
the United States, and many categories of Canadians not now include in
the program. Under the proposed rules, fingerprints would be collected
from the individuals at air and sea ports when reentering the United
States. Homeland Security is requesting comments on this new proposal,
and any member of the public may do so. The deadline for submitting
comments is August 28, 2006.

Proposed Rule Expanding Fingerprinting:


Comment on the Rulemaking (search for DHS-2005-0037): 




Senate Approves Cybercrime Treaty

On August 3, the Senate ratified a treaty that expands the search and
seizure powers of law enforcement in pursuing computer crimes. The
Council of Europe's Convention on Cybercrime, sent to the Senate in
2003, criminalizes hacking (including the production, sale, or
distribution of hacking tools), and expands criminal liability for
intellectual property violations. The treaty also requires signatories
to grant law enforcement additional search powers, such as being able to
compel Internet service providers to monitor user activity. The treaty
also requires that countries cooperate with each other in cybercrime
enforcement to the "widest extent possible." Last year, EPIC issued a
statement to the Senate Committee on Foreign Relations, opposing
ratification. The creation of new surveillance powers without adequate
safeguards, EPIC said, would erode privacy rights in the United States.
"The Cybercrime Convention is much more like a law enforcement 'wish
list' than an international instrument truly respectful of human
rights," EPIC said.

EPIC's Cybercrime Convention Page:


EPIC's Statement on the Cybercrime Convention (pdf):


[7] EPIC Bookstore: Steve Posner, "Privacy Law and the USA PATRIOT Act"

Privacy Law and the USA PATRIOT Act. Steve C. Posner. LexisNexis, 2006.


Drafted and passed only six weeks after September 11th, the USA PATRIOT
Act has, in popular consciousness, been elevated beyond a mere law and
into a symbol of increased government surveillance. Because of its
iconic status, it has been cited by both its proponents and opponents as
containing provisions it does not, confusing debates on government
powers and surveillance. Steven Posner's treatise, "Privacy Law and the
USA PATRIOT Act," focuses clearly upon the many areas of privacy law
affected by the Act. The treatise begins with a thorough and well-cited
legislative history, including the several bills proposed in the time
between September 11th and the Act's introduction. The second chapter
provides a good overview of the legal right to privacy, in its many
nuances and subcategories. Each of the following chapters then proceeds
through the Act title by title. This organization leads to some
chapters, on issues less frequently debated or litigated, being somewhat
terse, but no less useful. On the other hand, Chapter 4, on
surveillance, is rightfully one of the longest and most comprehensive.
Particular attention is paid to the Section 215 provisions that have
raised such grave concerns over the privacy of library and business
records. In dealing with these controversial sections, Posner takes the
time to not only cite the relevant statutory material and case law, but
also to provide the history and executive actions that informed the
Act's creation, interpretation, and amendment. With methods like these,
Posner's treatise takes an often-convoluted subject matter and makes it
far more understandable.

--Sherwin Siy


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:

Identity and Identification in a Networked World. New York University. 
September 29-30, 2006. New York, New York. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

6th Annual Future of Music Policy Summit. Future of Music Coalition.
October 5-7, 2006. Montreal, Canada. For more information:

The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

Internet Governance Forum (IGF) October 30-November 2, 2006. Athens,
Greece. For more information:

28th International Data Protection and Privacy Commissioners'
Conference. November 2-3, 2006. London, United Kingdom. For more

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.16 -------------------------