EPIC logo

                           E P I C  A l e r t
Volume 13.22                                            November 1, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Two Reports Criticize Security, Privacy Holes in RFID Technology 
[2] Microsoft Announces New Identity Management System
[3] Voting Integrity Group Recommends Measures for Election Day
[4] Student Creates Fake Boarding Passes to Show Air Security Flaws
[5] EPIC Launches Privacy and Domestic Violence Project
[6] News in Brief
[7] EPIC Bookstore: Aviel Rubin's "Brave New Ballot"
[8] Upcoming Conferences and Events

[1] Two Reports Criticize Security, Privacy Holes in RFID Technology 

The federal government has increasingly required radio frequency
identification (RFID) tags for identity documents, even though an expert
panel has opposed the adoption of the wireless technology. The draft
report has yet to be finalized for official release. In another report,
researchers revealed serious security vulnerabilities in RFID-enabled
credit cards that would allow for fraud.

RFID technology is a part of several federal identification documents.
The Department of Homeland security last year began using RFID-enabled
I-94 forms in its United States Visitor and Immigrant Status Indicator
Technology (US-VISIT) program to track the entry and exit of visitors.
This year, the State Department started issuing RFID-enabled passports
to U.S. citizens. The State Department also is proposing to use RFID in
its "PASS card," an ID card for people entering the United States from
certain countries in North, Central or South America.

In the draft report, the Department of Homeland Security Data Privacy
and Integrity Advisory Committee warns against using RFID in in
identification documents. "RFID appears to offer little benefit when
compared to the consequences it brings for privacy and data integrity,"
the report says. Many have criticized the security and privacy problems
inherent in RFID. Recently, the European Commission announced it is
considering legislation to ensure privacy safeguards in the use of RFID

EPIC has previously explained that, in the absence of effective security
techniques, RFID tags are remotely and secretly readable. RFID-enabled
ID cards would allow for clandestine tracking of individuals,
"skimming," and "eavesdropping." Skimming occurs when information from
an RFID chip is surreptitiously gathered by an unauthorized individual.
Eavesdropping occurs when an individual intercepts data as it is read by
an authorized RFID reader.

Researchers at the University of Massachusetts and RSA Labs skimmed
RFID-enabled credit cards to reveal security vulnerabilities. In tests
on 20 cards from Visa, MasterCard and American Express, they found that
the cards are transmitting the cardholder's name and other data in plain
text and without encryption. The researchers gathered the information
from the cards with small device made out of commercially available
electronic components. The researchers were able to use the stolen data
to buy products online.

Department of Homeland Security Data Privacy and Integrity Advisory
Committee: The Use of RFID for Human Identification (pdf):


Research Paper: Vulnerabilities in First-Generation RFID-enabled Credit
Cards (pdf):


EPIC's Spotlight on Surveillance: "Homeland Security PASS Card: Leave
Home Without It":


EPIC's Page on RFID:


[2] Microsoft Announces New Identity Management System

Microsoft recently announced a new identity management system "CardSpace
Identity Selector" that will be included as a Windows component embedded
in the Vista operating system. Microsoft executives described CardSpace
as an "identity metasystem" that allows a user to create multiple
virtual ID cards. Kim Cameron, chief identity architect at Microsoft,
said each virtual card created by the user would only contain the
minimum amount of information that individuals will need to divulge to
carry out a transaction applicable to the card. If the system works as
advertised, it will be a welcome change from Microsoft's original
proposal for an Internet-based identity system, dubbed "Passport."

In July 2001, EPIC and a coalition of consumer groups filed a complaint
with the Federal Trade Commission alleging that the Microsoft Passport
system violated Section 5 of the Federal Trade Commission Act, which
prohibits unfair or deceptive practices in trade. In August 2002, the
FTC agreed with EPIC that Passport was flawed and settled with
Microsoft. As part of the settlement, Microsoft agreed to implement a
comprehensive information security program for Passport and similar

According to the FTC, "The proposed consent order prohibits any
misrepresentation of information practices in connection with Passport
and other similar services. It also requires Microsoft to implement and
maintain a comprehensive information security program. In addition,
Microsoft must have its security program certified as meeting or
exceeding the standards in the consent order by an independent
professional every two years."

In the Final Order, the FTC also adopted a broad definition of
"personally identifiable information" that included not only name,
address, email address, phone number, and Social Security number, but
also a persistent identifier, such as a cookie, as well as any
information that is combined with any of the previous categories.

The European Commission launched an investigation of Microsoft Passport,
following the EPIC complaint to the FTC. The Article 29 Working Group,
European privacy experts, issued a report in 2003 concerning Online
Authentication Services.

Microsoft, "The Identity Metasystem: Towards Privacy-Compliant Solution
to the Challenges of Digital Identity":


Kim Cameron's Identity Weblog:


FTC Order: In the Matter of Microsoft Corporation, No. 1012-3240 (pdf):


EPIC's FTC Complaint about Microsoft (pdf):


FTC, "Microsoft Settles FTC Charges Alleging False Security and Privacy


EPIC's Page on the Microsoft Passport Investigation:


Article 29 Working Group, Online Authentication Services (pdf):


[3] Voting Integrity Group Recommends Measures for Election Day

The National Committee for Voting Integrity (NCVI) has prepared
recommendations to assist voters and election administrators. The
guidance was developed with the assistance of the Brennan Center for
Justice and addresses the use of electronic voting systems in the
upcoming national elections. NCVI and the Brennan Center warn that the
recent implementation of electronic voting systems will make ensuring
that all votes are accurately counted a difficult and challenging task.

They recommend that election officials should be prepared well in
advance to manage foreseeable failures. Particular focus should be
placed on possible remedial steps that may be taken to minimize the loss
of votes due to complications with implementation of
statewide-centralized voter registration databases and/or electronic
poll books, as well as the casting of ballots on touch screen direct
recording electronic (DRE) voting machines or paper optical scan voting
systems. These recommendations also include information on how to make
the use of optical scan voting systems as effective as possible.

They conclude that in the long term, there must be far better security
and reliability standards for electronic voting systems. They reiterate
the Brennan Center's 2004 and 2006 security and reliability
recommendations for these machines. They also endorse the immediate
implementation of the federal laboratory accreditation process to
certify all electronic voting systems to the Election Assistance
Commission's 2005 Voluntary Voting System Guidelines.

They advised election administrators who use statewide-centralized voter
registration databases to immediately implement the recommendations of
the Association for Computing Machinery's U.S. Public Policy Committee's
Study of Accuracy, Privacy, Usability, Security, and Reliability Issues,
as well as the Brennan Center's 2006 recommendations on the Database
Matching and Verification Processes for Voter Registration. Further,
election administrators who rely on automated central tabulating
processes for optical scan ballot systems should immediately evaluate
those systems for accuracy, reliability, and security.

About 87% of voters will use either optical scan or touch screen systems
to vote on Tuesday. EPIC highlighted the many security and privacy risks
associated with the use of electronic voting systems in its recent
Spotlight on Surveillance. EPIC explained that, though there are
safeguards, most of the local election jurisdictions have not put these
in place.

National Committee for Voting Integrity's Recommendations:


Brennan Center for Justice NYU School of Law: 

Election Assistance Commission's 2005 Voluntary Voting System


Association for Computing Machinery's U.S. Public Policy Committee's
Study of Accuracy, Privacy, Usability, Security, and Reliability Issues


EPIC's September 2006 Spotlight on Surveillance: With Some Electronic
Voting Systems, Not All Votes Count


EPIC's Page on Voting and Privacy:


[4] Student Creates Fake Boarding Passes to Show Air Security Flaws

After an Indiana University graduate student created a Web site that
allows users to forge their own airline boarding passes, the FBI
searched his home and seized equipment. However, this particular
security flaw has been highlighted by experts before.

Doctoral candidate Christopher Soghoian created the Northwest Airlines
Boarding Pass Generator Web site to highlight the problem with airport
security. At the site (http://www.dubfire.net/boarding_pass/), which has
since been taken down, a person could enter a name and flight data
(departure city, flight number, etc.) and print a fake Northwest
Airlines boarding pass that would get him past airport security

"I don't want to help terrorists or help bad guys do bad things on
airplanes, but what we have now is what we in the industry call
'security theater.' It's made to make you think you're secure without
actually making you secure," Soghoian told ABC News. "As a member of the
academic research community, I consider this to be a public service."

When Jim Harper, Director of Information Policy Studies at the Cato
Institute, tried boarding a plane without a photo ID, he was asked to
undergo "secondary screening" by airport security. After that, he was
allowed to board the plane. He said that "secondary screening" actually
had the advantage of allowing him to skip to the head of the security

The fake boarding pass problem is not new; it has been discussed
extensively prior to Soghoian's site. In fact, New York Sen. Charles
Schumer, security expert Bruce Schneier, and a reporter at Slate
Magazine have previously explained step-by-step how to create a fake
boarding pass, in order to show the security problem.

Christopher Soghoian's blog:


EPIC's Page on ID Cards:


Fake Boarding Pass Instructions:

     Bruce Schneier: http://www.schneier.com/crypto-gram-0308.html#6

     Sen. Schumer: http://www.epic.org/redirect/sch_pass.html

     Slate Magazine: http://www.slate.com/id/2152507/

[5] EPIC Launches Privacy and Domestic Violence Project

This October, Domestic Violence Awareness Month, EPIC launched its
Domestic Violence and Privacy project. The project will focus EPIC's
expertise on the privacy problems raised by domestic violence. Guilherme
Roschke, a Skadden Fellow, will pursue the project over the next two

Victims often share much of their private lives with their abusers, and
thus are particularly exposed to privacy invasions. Furthermore, weak
data protection and privacy invasive technologies can be exploited by
abusers seeking to hurt their victims. What are normal privacy risks
faced by us all become matters of life and death in the domestic
violence and stalking context.

The Domestic Violence and Privacy project will provide legal assistance
to domestic violence practitioners. The goal of this work is to develop
a two-way relationship between EPIC and domestic violence practitioners.
EPIC's privacy expertise and research will aid the representation of
client's whose privacy has been harmed.  In turn, this experience with
domestic violence practitioners will inform EPIC's general privacy
advocacy work.  With both of these practices, privacy protection for a
vulnerable part of our community will be increased.

Several specific privacy issues that EPIC works on affect domestic
violence. The use of surveillance technologies such as spyware and other
wiretaps. The use of pretexting to gain cell phone and other records.
The use of personal information for identity theft. The protection of
personal data in the hands of data brokers. The safeguarding of data in
government and court records. The protection of confidential data in the
hands of domestic violence service providers.

Guilherme Roschke was an IPIOP Clerk at EPIC during the summer of 2005
when he developed the project, and is a graduate of the George
Washington University Law School. The Skadden Fellowship Foundation is
funding his project.

EPIC's Page on Domestic Violence:


Skadden Fellowship Foundation:


EPIC's Page on the IPIOP Clerkship Program:


[6] News in Brief

Consumer Privacy Groups File Complaint About Online Advertising

The Center for Digital Democracy  and the U.S. Public Interest Research
Group have filed a complaint with the Federal Trade Commission, calling
on the commission to undertake a formal investigation of online
advertising practices. According to the organizations, data collection
and interactive marketing is designed to track Internet users wherever
they go, creating data profiles used in personalized "one-to-one"
targeting schemes. The groups say privacy disclosure policies fail to
effectively inform users what data are being collected and how that
information is subsequently used.

Complaint and Request for Inquiry and Injunctive Relief  Concerning
Unfair and Deceptive Online Marketing Practices (Nov. 1, 2006) (pdf):


EPIC's Page on the Microsoft Passport Investigation:


Privacy International Releases Report on Freedom of Information Laws

Privacy International has released a survey that provides a
comprehensive review of Freedom of Information Laws and practices in
nearly 70 countries. "Freedom of Information Around the World 2006
Global Survey of Access to Government Information Laws" describes the
growing world-wide movement to adopt Freedom of Information laws. More
than a dozen countries have adopted new laws and decrees in the last two
years. The survey also details many problems such as poorly drafted
laws, lax implementation and an ongoing culture of secrecy in many

Freedom of Information Around the World 2006 Global Survey of Access to
Government Information Laws (2006):


EPIC's Open Government Project:


YouTube Shared User Data with Movie Studio.

In response to a subpoena from Viacom Inc.'s Paramount Pictures,
movie-hosting Web site YouTube turned over data on one of its users.
Paramount then sued the creator of a 12-minute movie posted on YouTube
that included dialogue from the movie studio's film "Lord of the Rings:
The Two Towers. " The Digital Millennium Copyright Act (DMCA), allows a
copyright owner  or a person on the owner's behalf to ask a district
court clerk  "to issue a subpoena to a service provider for
identification of  an alleged [copyright] infringer." The act's subpoena
provisions have previously been litigated in Verizon v. RIAA, in which
EPIC filed a "friend of the court" brief.

EPIC's Page on Verizon v. RIAA:


Calif. Governor Uses Database on Consumer Habits to Target Voters

California Gov. Arnold Schwarzenegger's campaign team has created a vast
computer database on personal buying habits and voter records of
millions of people in order to identify likely supporters. Names, phone
numbers, addresses, consumer preferences, voting histories and other
demographic information are being compiled. Campaign officials say the
data allows them to target residents with phone calls, mailing, and home
visits from campaign volunteers, with messages tailored to issues
presumed to be important to the resident. Others have created similar
databases to target potential voters, including President Bush's 2004
re-election team and the Democratic National Committee.

EPIC's Page on ChoicePoint, a data broker:


DNA database increasingly being used for property crimes 

The FBI's database of criminal DNA, CODIS (Combined DNA Index System),
which was created to help solve violent crimes such as rape and murder,
is increasingly being used in burglaries and other property crimes. In
10 states -- Alabama, Florida, Indiana, Michigan, Missouri, New Mexico,
Ohio, Oregon, Virginia and Wisconsin -- the total number of DNA matches
in property crimes cases has exceeded the number of matches in violent
crimes. Some experts attribute the rise in property crime matches to
increasingly sophisticated DNA testing and the fact that government
funds for DNA analysis, once limited to testing matches in violent
crimes, can now be used in property crimes. For 17 years, the states,
federal government, and military have collected DNA from those convicted
of felonies (more recently, some states have begun collecting DNA
samples from people convicted of misdemeanors or arrested for certain
felonies). The database contains profiles from approximately 3.5
million people.

EPIC's Page on Genetic Privacy:


Firefox Introduces Flawed Anti-Phishing Feature

The anti-phishing technique in Firefox 2.0  transmits the URL of each
Web site a user visits to Google. Google says that it will compare the
URL with a database of known fraudulent sites, but Google has not said
what else it might do with the URLs it collects. "Phishing Protection"
is turned on by default in Firefox 2. Earlier this year, a federal judge
made clear that there were privacy interests in the collection and
disclosure of URLs and search terms. EPIC has identified privacy
problems with other Google services, such as Gmail, including the fact
that Google is building  profiles on Internet users by aggregating data
from seacrh histories and different Google services.

Firefox, "Phishing Protection":


Gonzales v. Google, Inc., No. CV 06-8006MISC JW (Mar. 17, 2006) (pdf):


EPIC's Page on Gmail Privacy:


[7] EPIC Bookstore: Aviel Rubin's "Brave New Ballot"

"Brave New Ballot: The Battle to Safeguard Democracy in the Age of
Electronic Voting" by Aviel Rubin (Morgan Road 2006).


Dr. Aviel Rubin is a Professor of Computer Science at Johns Hopkins
University and an advocate for electronic voting technology reform. His
book recounts his evolution from seeing electronic voting security as an
interesting academic or research problem, to a serious threat to our
nation's democracy. Dr. Rubin along with other computer technologists
have brought their knowledge about computer system vulnerabilities to
the debate on modernizing elections. A few years ago, Dr. Rubin
published a critical report about Diebold's AccuVote-TS voting
technology sold to the state of Maryland. The book lays out the case
that, when the largest supplier of paperless electronic voting systems,
Diebold Election Systems, was presented with evidence that one of its
most popular voting models had serious security flaws, they attacked the
messenger. Diebold's reaction to the report was to unleash a personal
and professional attack against Dr. Rubin.

For those who think that the debate about electronic voting technology
is just a polite discussion and not a battle -- read Dr. Rubin's book.
This is a great book for those interested in learning about one of the
many heroes who labored to speak truth to the powers that be and move
the issue of electronic voting technology security from the notice of
technologists to front page news.

     -- Lillie Coney

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

28th International Data Protection and Privacy Commissioners'
Conference. November 2-3, 2006. London, United Kingdom. For more

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.22 -------------------------