======================================================================== E P I C A l e r t ======================================================================== Volume 13.19 September 22, 2006 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_13.19.html ======================================================================== Table of Contents ======================================================================== [1] Voting ID Requirements Struck in Missouri [2] Privacy and Security Flaws Imperil Transit Worker ID Program [3] International Consumer Groups Urge US, EU to Protect Passenger Data [4] EPIC Urges US to Stop Surveillance Tech Exports [5] DC Residents Speak Up for Crime Prevention [6] News in Brief [7] EPIC Bookstore: [8] Upcoming Conferences and Events ======================================================================== [1] Voting ID Requirements Struck in Missouri ======================================================================== On September 14, a Missouri trial court struck down a state law requiring voters to present a government-issued photo ID at the polls. Judge Richard Callahan of Cole County Circuit Court found that the law violated the Missouri constitution, since it denied the right to vote to those who Citizens of the state had challenged the new law, arguing that its restrictions denied the right to vote to those who could not afford to obtain such IDs. In 2005, when the state expanded the number of documents required to obtain a drivers license or ID card. The 2005 law required applicants to prove lawful presence, identity, and residence. Although the state did not charge for ID cards themselves, applicants for an ID must spend money on documents required to obtain the ID. Lawful presence, for example, could be established with a US passport ($97-$236) or a birth certificate with an embossed or raised seal by the issuing state or municipality ($15-$30). For citizens born abroad, the cost for voting would have been even greater. The court also noted that there had been no complaints of voter fraud under the previous voting law, which did not require a government-issued photo ID. Two other states have addressed voter ID requirements in recent weeks. On September 19, Georgia's third attempt at a voter photo ID requirement for the state's special election was also declared unconstitutional by a federal court judge. A federal judge in Arizona, however, allowed a state ID requirement to stand one day before its first use during a statewide primary election. On September 11, U.S. District Judge Roslyn O. Silver refused to halt enforcement of the new law's application, requesting additional briefs and scheduling a hearing for October 19, but without providing the reasoning for her decision. Arizona's new law, enacted as a result of a ballot initiative in 2004, imposes proof of citizenship requirements on voters both during the registration process and on Election Day. According to the National Conference of State Legislatures, 24 states have some form of ID requirement, while only seven require a photo ID. This list does not include the state of Georgia, due to the court decisions earlier this year. Some federal lawmakers are pressing for similar requirements, however. The US House of Representatives passed H.R. 4844, the Federal Election Integrity Actby a vote of 228 to 196. This bill would require voters to prove their citizenship and present photo ID prior to voting in any federal election. The bill contains no funding nor provisions for those who might due to religious beliefs oppose photo ID documents. Currently there is no document recognized as providing proof of citizenship. Ruling in Missouri Case, Weinschenk v. Missouri (pdf): http://www.epic.org/privacy/voting/pdf_files/Misri_vot2.pdf Complaint in Weinschenk v. Missouri (pdf): http://www.epic.org/privacy/voting/pdf_files/Misri_vot3.pdf EPIC's Voting Page: http://www.epic.org/privacy/voting ======================================================================== [2] Privacy and Security Flaws Imperil Transit Worker ID Program ======================================================================== Security and privacy problems have delayed the implementation of the Transportation Worker Identification Credential program. TWIC is a Homeland Security program designed to screen the backgrounds of and issue biometric ID cards to the nation's 750,000 air, land and sea transportation workers. TWIC was created in November 2002 as part of maritime security legislation, but the pilot program was delayed for two years. In that time, its cost has nearly doubled from $12 million to $23 million, even though only 4,000 of the planned 200,000 cards were issued through a pilot program. Under TWIC, Homeland Security would gather finger scans, iris scans, digital photographs and detailed biographical, employment and other personal data from those hoping to work in the transportation industry. The applicants' names would then be run against immigration and terror watch lists. EPIC has previously reported about the mistakes and problems associated with terror watch lists. Often innocent people are on or have similar names to those on the lists, and it is difficult to correct the lists. Sen. Ted Kennedy was matched to a name on the list, and he could only resolve the problem with the help of then-Homeland Security Secretary Tom Ridge. The lists are also bloated -- they were revealed to include 325,000 names. The Inspector General for the Department of Homeland Security released a report in July titled "DHS Must Address Significant Security Vulnerabilities Prior To TWIC Implementation." The report said, "Due to the number and significance of the weaknesses identified, TWIC prototype systems are vulnerable to various internal and external security threats." The security problems must be rectified because they "may threaten the confidentiality, integrity, and availability of sensitive TWIC data," the report said. Homeland Security has postponed the installation of TWIC card readers. It is not known when or if the program will be fully implemented. TSA's page on TWIC: http://www.tsa.gov/what_we_do/layers/twic/index.shtm DHS Inspector General Report on TWIC (Redacted) (pdf): http://www.epic.org/redirect/dhs_ig_twic.html EPIC's Biometric Identifiers page: http://www.epic.org/privacy/biometrics/ EPIC's National ID Cards and REAL ID Act page: http://www.epic.org/privacy/id_cards/ ======================================================================== [3] International Consumer Groups Urge US, EU to Protect Passenger Data ======================================================================== The Transatlantic Consumer Dialogue (TACD), a coalition of US and EU consumer groups, wrote to US and EU officials, urging them to include privacy safeguards into air passenger data sharing agreements. Officials in the US and EU are currently discussing the international sharing of passenger name records (PNRs) between the travel industry and law enforcement. United States Homeland Security Secretary Michael Chertoff is seeking to expand the data that is available to US agencies, and to share the data with more US agencies. PNRs, are data held by air carriers and travel agents collected during booking. They can include passenger travel dates, home and work addresses, payment details, members of party, meal preferences (such as whether a passenger requires halal or kosher meals), and more. However, the minimum amount required for a travel booking is a name, contact information, and itinerary. PNRs have been shared with the US under an agreement that was held to be invalid in by a May 2006 European Court of Justice decision. That decision held that the data sharing agreement violated the privacy of European air travelers, a violation of the 1995 EU directive on data protection. The court ruled that the agreement must be renegotiated with proper protections and legal basis or it would be annulled by September 30, 2006. The consumer groups request that officials considering PNR sharing abide by three criteria. First, the agreement must respect the May 2006 European Court of Justice decision that PNR sharing agreements must have an adequate legal basis and be respectful of US and EU privacy laws. Second, the US and EU must conduct a study comparing the effectiveness of passenger profiling with other safety techniques. Third, the groups held that an annual report of PNR sharing must be published. Text of TACD letter: http://www.epic.org/redirect/tacd_pnr_letter.html Wikipedia Entry on Passenger Name Records: http://en.wikipedia.org/wiki/Passenger_Name_Record EPIC's page on Passenger Name Records http://www.epic.org/privacy/intl/passenger_data.html ======================================================================== [4] EPIC Urges US to Stop Surveillance Tech Exports ======================================================================== In a letter addressed to the Secretary of Commerce Carlos Gutierrez, EPIC urged the Department of Commerce to restrict the export of high-tech surveillance equipment to China. While the US has restricted the export of products such as tear gas, handcuffs, and shotguns to China, the letter noted, high-tech equipment that can be used for surveillance and censorship is freely exported to the country. The export restrictions were put in place following the 1989 Tienanmen Square massacre. Recent reports on human rights abuses in China have focused on the role that US technology companies have played in the suppression of free speech. A recent article in BusinessWeek, for example, highlighted the fact that Oracle, Cisco, Motorola, and EMC Corp. all sold technology products to Chinese police and security authorities that can be used to track political dissidents, in spite of China's "dismal" human rights record. EPIC's letter highlighted portions of this track record indicating that surveillance and censorship technology plays a major role in human rights abuses. For instance, the US State Department's 2005 report on human rights in China states, "During the year authorities monitored telephone conversations, facsimile transmissions, e-mail, text messaging, and Internet communications...The security services routinely monitored and entered residences and offices to gain access to computers, telephones, and fax machines." The technology that allows this surveillance and tracking, said EPIC, was often provided by companies based in the United States. Cisco, for example, has marketed and sold its products as "strengthening police control." In hearings conducted in February, members of the House Subcommittee on Human Rights condemned a number of US companies for their role in suppressing free speech and dissent in China. The company representatives said that they were abiding by Chinese law, and asked the US government, including the Department of Commerce, to also take a strong stand against human rights abuses. EPIC's letter stressed this need for leadership from the US government: "The American democratic tradition, and its worldwide reputation of valuing democracy and individual freedoms could be undermined by the involvement of the US technology industry…Companies need to be presented with a strong legislative framework in which to carry out their trade with Chinese customers." EPIC's Letter to Secretary Gutierrez (pdf): http://www.epic.org/privacy/intl/doc_china_letter.pdf BusinessWeek Article: http://www.businessweek.com/magazine/content/06_38/b4001067.htm House Human Rights Subcommittee, Hearing Notice: The Internet in China: http://wwwc.house.gov/international_relations/109/af021506.htm ======================================================================== [5] DC Residents Speak Up for Crime Prevention ======================================================================== Washington, DC, residents and a coalition of groups, including EPIC, the ACLU, DC Action for Children, and Efforts for Ex-Cons, gathered Monday night to discuss crime prevention measures. Topics included community policing, curfews, rehabilitation of ex-offenders, and surveillance cameras. Johnny Barnes, Executive Director of the ACLU-National Capital Area, welcomed the crowd and explained that the gathering was in response to "emergency crime legislation" that the DC Council hastily enacted in response to several high profile crimes. The emergency legislation more than doubled the number of cameras in the district, created an earlier curfew and expanded police access to confidential juvenile information. Ron Hampton, Executive Director of the National Black Police Association and a self-described "former beat cop" explained the many ways that effective community policing helps cut crime rates. When the police have the resources to devote to learning about the people and places in their neighborhood beats, they are better able to help the community with crime reduction and prevention, he said. Such community policing would reduce the fear of crime and improve relations between the police and citizens, he said. Melissa Ngo, Director of EPIC's Identification and Surveillance Project, and Jay Stanley, Public Education Director of the Technology and Liberty Program at the ACLU, discussed the problems with surveillance cameras. Constant surveillance, Stanley said, creates a chilling effect on free speech when people learn that their peaceful, legal protests are being watched and recorded. Stanley also pointed out that the cities of Detroit, Miami, and Oakland all abandoned their camera surveillance systems because they were ineffective in reducing crime. Studies have also shown that it is more effective to place more officers on the streets and improve lighting in high-crime areas than to use surveillance cameras, he said. Ngo said the cameras are invasive and just don't work. Furthermore, she said, funds spent on cameras could be spent on more effective crime-fighting tools. The emergency legislation allotted $2.3 million for the city to buy 23 cameras to add to the 19 cameras in the District, but Ngo said the $2.3 million could have been put to better use by hiring an additional 46 police officers, at a salary of $50,000. After the expert presentations, there was a question and answer period with the audience. The DC Council's Committee on Consumer and Regulatory Affairs will hold a public hearing on PR 16-766 "Metropolitan Police Department Closed Circuit Television Regulations Amendment Approval Resolution of 2006" on Oct. 4, 2006 in Room 412 of the John A. Wilson Building at 1350 Pennsylvania Ave. NW, Washington, DC. D.C. Council Home Page: http://www.dccouncil.washington.dc.us/ American Civil Liberties Union-National Capital Area: http://www.aclu-nca.org/ National Black Police Association: http://www.blackpolice.org/ EPIC's Comments to the D.C. Council on the April CCTV proposal (pdf): http://www.epic.org/privacy/surveillance/cctvcom062906.pdf EPIC's Video Surveillance page: http://www.epic.org/privacy/surveillance/ ======================================================================== [6] News in Brief ======================================================================== EU Data Supervisor: Privacy, Security Not Opposed On September 18, Peter Hustinx, the European Data Protection Supervisor, emphasized the importance of personal privacy in ensuring national security. "It is a misconception that protection of privacy and personal data holds back the fight against terrorism and organised crime. . . Good data protection actually goes hand in hand with legitimate crime fighting because it increases the quality of data bases and at the same time makes sure that only the right people can access them," he said. Hustinx stated that existing laws and legal processes allowed for law enforcement access to important information on criminals and terrorists, and that any new systems allowing access to personal information needed to have adequate checks and safeguards to protect personal privacy. Press Release from the European Data Protection Supervisor: http://www.epic.org/redirect/hustinx_statement.html Social Networking Site Pays $1 Million for Privacy Violations Xanga.com, a social networking site, agreed to pay $1 million for violating the Children's Online Privacy Protection Act. The Federal Trade Commission brought the action against the website after Xanga collected, used, and disclosed information about children under the age of 13 without first notifying parents and obtaining their consent. Although Xanga's policies stated that users had to be over 13 to join, it allowed users to register on the site even after they provided a birth date indicating they were under 13 years old. The consent order not only includes the $1 million penalty, but also requires that Xanga delete all of the information collected on underage children. FTC Press Release: http://www.ftc.gov/opa/2006/09/xanga.htm Text of the Consent Decree (pdf): http://www.ftc.gov/os/caselist/0623073/xangaconsentdecree.pdf British Protest Covert Trash-Monitoring Chips Homeowners in Britain are protesting the recent installation of electronic chips in their outdoor trash cans. The chips measure the weight of trash placed in the cans and transmit that information to a central database. British officials have said the information could be used to fine residents who are not recycling enough. Homeowners have been removing the monitoring chips from their cans and sending them to city council members with angry letters. City councils are responding with threats of fines for damaging city property. Coverage of the Protests in the Daily Mail: http://www.epic.org/redirect/trash_chip_story.html US Should Limit SSN Use, Task Force Says The President's Identity Theft Task Force issued its interim recommendations for combating identity theft, which the Federal Trade Commission has called the fastest growing crime in the nation. Among the recommendations was that the government limit government use of the Social Security number as an identifier. Because Social Security numbers are frequently used for authentication in the private sector, their disclosure can easily lead to identity theft. The Task Force also recommended that government agencies implement contingency plans in case there is a breach of individuals' personal information. However, these recommendations leave it to the heads of the agency to decide whether or not to reveal the breach to those affected. Interim Recommendations of the Task Force (pdf): http://www.ftc.gov/os/2006/09/060916interimrecommend.pdf EPIC's SSN Privacy Page: http://www.epic.org/privacy/ssn/ States Oppose Preemption on Wireless Law Forty-one state Attorneys General wrote to Congress, opposing provisions of H.R. 5252, the "Advanced Telecommunications and Opportunity Reform Act." These provisions of the telecommunications bill would override state laws that regulate wireless telecommunications services and voice over Internet Protocol (VoIP) services. The attorneys general argue in the letter that preemption of state laws would harm consumers by denying them state protections against unfair and fraudulent trade practices by certain telecommunications and VoIP providers. State governments have often acted more swiftly and thoroughly to protect privacy rights, only to have protections rolled back by federal preemption. Letter from 41 State Attorneys General (pdf): http://www.naag.org/news/pdf/20060915.WirelessPreemption.pdf EPIC's Privacy and Preemption Page: http://www.epic.org/privacy/preemption/ ======================================================================== [7] EPIC Bookstore: "Privacy, Information, and Technology" ======================================================================== "Privacy, Information, and Technology" by Daniel J. Solove, Marc Rotenberg, and Paul Schwarz (Aspen Publishers 2006). http://www.powells.com/partner/24075/biblio/62-0735562458-1 "This short paperback, developed from the casebook, 'Information Privacy Law,' contains key cases and materials focusing on privacy issues related to information technology, databases, and cyberspace. Topics covered include government surveillance, privacy and access to public records, government access to personal information, data mining, identity theft, consumer privacy, financial privacy, and more." ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2005: An International Survey of Privacy Laws and Developments" (EPIC 2006). Price: $60. http://www.epic.org/bookstore/phr2005/phr2005.html This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== Preventing and Responding to Security Breaches. Privacy Journal. September 28-29. New York, New York. For more information: www.aciresources.com Identity and Identification in a Networked World. New York University. September 29-30, 2006. New York, New York. For more information: http://www.easst.net/node/976 34th Research Conference on Communication, Information, and Internet Policy. Telecommunications Policy Research Conference. September 29-October 1, 2006. Arlington, Virginia. For more information: http://www.tprc.org/TPRC06/2006.htm 6th Annual Future of Music Policy Summit. Future of Music Coalition. October 5-7, 2006. Montreal, Canada. For more information: http://www.futureofmusic.org/events/summit06/ The IAPP Privacy Academy 2006. International Association of Privacy Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more information: www.privacyassociation.org International Conference on Privacy, Security, and Trust (PST 2006). University of Ontario Institute of Technology. October 20-November 1, 2006. Markham, Ontario, Canada. For more information: http://www.businessandit.uoit.ca/pst2006/ Internet Governance Forum (IGF) October 30-November 2, 2006. Athens, Greece. For more information: http://www.igfgreece2006.gr/ 28th International Data Protection and Privacy Commissioners' Conference. November 2-3, 2006. London, United Kingdom. For more information: http://www.privacyconference2006.co.uk/ BSR 2006 Annual Conference. Business for Social Responsibility. November 7-10, 2006. New York, New York. For more information: http://www.bsr.org/BSRConferences/index.cfm 5th Conference on Privacy and Public Access to Court Records. Center for Legal and Court Technology and Administrative Office of the United States Courts. March 22-23, 2007. Williamsburg, Virginia. For more information: http://www.courtaccess.org/ CFP2007: Computers, Freedom, and Privacy Conference. Association for Computing Machinery. May 2007. Montreal, Canada. For more information: http://www.cfp2007.org ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 13.19 ------------------------- .