======================================================================== E P I C A l e r t ======================================================================== Volume 13.22 November 1, 2006 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_13.22.html ======================================================================== Table of Contents ======================================================================== [1] Two Reports Criticize Security, Privacy Holes in RFID Technology [2] Microsoft Announces New Identity Management System [3] Voting Integrity Group Recommends Measures for Election Day [4] Student Creates Fake Boarding Passes to Show Air Security Flaws [5] EPIC Launches Privacy and Domestic Violence Project [6] News in Brief [7] EPIC Bookstore: Aviel Rubin's "Brave New Ballot" [8] Upcoming Conferences and Events ======================================================================== [1] Two Reports Criticize Security, Privacy Holes in RFID Technology ======================================================================== The federal government has increasingly required radio frequency identification (RFID) tags for identity documents, even though an expert panel has opposed the adoption of the wireless technology. The draft report has yet to be finalized for official release. In another report, researchers revealed serious security vulnerabilities in RFID-enabled credit cards that would allow for fraud. RFID technology is a part of several federal identification documents. The Department of Homeland security last year began using RFID-enabled I-94 forms in its United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program to track the entry and exit of visitors. This year, the State Department started issuing RFID-enabled passports to U.S. citizens. The State Department also is proposing to use RFID in its "PASS card," an ID card for people entering the United States from certain countries in North, Central or South America. In the draft report, the Department of Homeland Security Data Privacy and Integrity Advisory Committee warns against using RFID in in identification documents. "RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity," the report says. Many have criticized the security and privacy problems inherent in RFID. Recently, the European Commission announced it is considering legislation to ensure privacy safeguards in the use of RFID technology. EPIC has previously explained that, in the absence of effective security techniques, RFID tags are remotely and secretly readable. RFID-enabled ID cards would allow for clandestine tracking of individuals, "skimming," and "eavesdropping." Skimming occurs when information from an RFID chip is surreptitiously gathered by an unauthorized individual. Eavesdropping occurs when an individual intercepts data as it is read by an authorized RFID reader. Researchers at the University of Massachusetts and RSA Labs skimmed RFID-enabled credit cards to reveal security vulnerabilities. In tests on 20 cards from Visa, MasterCard and American Express, they found that the cards are transmitting the cardholder's name and other data in plain text and without encryption. The researchers gathered the information from the cards with small device made out of commercially available electronic components. The researchers were able to use the stolen data to buy products online. Department of Homeland Security Data Privacy and Integrity Advisory Committee: The Use of RFID for Human Identification (pdf): http://www.epic.org/redirect/dpiac1106.html Research Paper: Vulnerabilities in First-Generation RFID-enabled Credit Cards (pdf): http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC-manuscript.pdf EPIC's Spotlight on Surveillance: "Homeland Security PASS Card: Leave Home Without It": http://www.epic.org/privacy/surveillance/spotlight/0806 EPIC's Page on RFID: http://www.epic.org/privacy/rfid/ ======================================================================== [2] Microsoft Announces New Identity Management System ======================================================================== Microsoft recently announced a new identity management system "CardSpace Identity Selector" that will be included as a Windows component embedded in the Vista operating system. Microsoft executives described CardSpace as an "identity metasystem" that allows a user to create multiple virtual ID cards. Kim Cameron, chief identity architect at Microsoft, said each virtual card created by the user would only contain the minimum amount of information that individuals will need to divulge to carry out a transaction applicable to the card. If the system works as advertised, it will be a welcome change from Microsoft's original proposal for an Internet-based identity system, dubbed "Passport." In July 2001, EPIC and a coalition of consumer groups filed a complaint with the Federal Trade Commission alleging that the Microsoft Passport system violated Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in trade. In August 2002, the FTC agreed with EPIC that Passport was flawed and settled with Microsoft. As part of the settlement, Microsoft agreed to implement a comprehensive information security program for Passport and similar services. According to the FTC, "The proposed consent order prohibits any misrepresentation of information practices in connection with Passport and other similar services. It also requires Microsoft to implement and maintain a comprehensive information security program. In addition, Microsoft must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional every two years." In the Final Order, the FTC also adopted a broad definition of "personally identifiable information" that included not only name, address, email address, phone number, and Social Security number, but also a persistent identifier, such as a cookie, as well as any information that is combined with any of the previous categories. The European Commission launched an investigation of Microsoft Passport, following the EPIC complaint to the FTC. The Article 29 Working Group, European privacy experts, issued a report in 2003 concerning Online Authentication Services. Microsoft, "The Identity Metasystem: Towards Privacy-Compliant Solution to the Challenges of Digital Identity": http://www.epic.org/redirect/msoft_1006.html Kim Cameron's Identity Weblog: http://www.identityblog.com/ FTC Order: In the Matter of Microsoft Corporation, No. 1012-3240 (pdf): http://www.ftc.gov/os/2002/08/microsoftagree.pdf EPIC's FTC Complaint about Microsoft (pdf): http://www.epic.org/privacy/consumer/MS_complaint.pdf FTC, "Microsoft Settles FTC Charges Alleging False Security and Privacy Promises": http://www.ftc.gov/opa/2002/08/microsoft.htm EPIC's Page on the Microsoft Passport Investigation: http://www.epic.org/privacy/consumer/microsoft/passport.html Article 29 Working Group, Online Authentication Services (pdf): http://www.epic.org/redirect/a29.html ======================================================================== [3] Voting Integrity Group Recommends Measures for Election Day ======================================================================== The National Committee for Voting Integrity (NCVI) has prepared recommendations to assist voters and election administrators. The guidance was developed with the assistance of the Brennan Center for Justice and addresses the use of electronic voting systems in the upcoming national elections. NCVI and the Brennan Center warn that the recent implementation of electronic voting systems will make ensuring that all votes are accurately counted a difficult and challenging task. They recommend that election officials should be prepared well in advance to manage foreseeable failures. Particular focus should be placed on possible remedial steps that may be taken to minimize the loss of votes due to complications with implementation of statewide-centralized voter registration databases and/or electronic poll books, as well as the casting of ballots on touch screen direct recording electronic (DRE) voting machines or paper optical scan voting systems. These recommendations also include information on how to make the use of optical scan voting systems as effective as possible. They conclude that in the long term, there must be far better security and reliability standards for electronic voting systems. They reiterate the Brennan Center's 2004 and 2006 security and reliability recommendations for these machines. They also endorse the immediate implementation of the federal laboratory accreditation process to certify all electronic voting systems to the Election Assistance Commission's 2005 Voluntary Voting System Guidelines. They advised election administrators who use statewide-centralized voter registration databases to immediately implement the recommendations of the Association for Computing Machinery's U.S. Public Policy Committee's Study of Accuracy, Privacy, Usability, Security, and Reliability Issues, as well as the Brennan Center's 2006 recommendations on the Database Matching and Verification Processes for Voter Registration. Further, election administrators who rely on automated central tabulating processes for optical scan ballot systems should immediately evaluate those systems for accuracy, reliability, and security. About 87% of voters will use either optical scan or touch screen systems to vote on Tuesday. EPIC highlighted the many security and privacy risks associated with the use of electronic voting systems in its recent Spotlight on Surveillance. EPIC explained that, though there are safeguards, most of the local election jurisdictions have not put these in place. National Committee for Voting Integrity's Recommendations: http://votingintegrity.org/docs/help/recommend-2006.pdf Brennan Center for Justice NYU School of Law: http://www.brennancenter.org/ Election Assistance Commission's 2005 Voluntary Voting System Guidelines: http://www.eac.gov/vvsg_intro.htm Association for Computing Machinery's U.S. Public Policy Committee's Study of Accuracy, Privacy, Usability, Security, and Reliability Issues (2006): http://www.acm.org/usacm/VRD/ EPIC's September 2006 Spotlight on Surveillance: With Some Electronic Voting Systems, Not All Votes Count http://www.epic.org/privacy/surveillance/spotlight/0906/ EPIC's Page on Voting and Privacy: http://www.epic.org/privacy/voting/ ======================================================================== [4] Student Creates Fake Boarding Passes to Show Air Security Flaws ======================================================================== After an Indiana University graduate student created a Web site that allows users to forge their own airline boarding passes, the FBI searched his home and seized equipment. However, this particular security flaw has been highlighted by experts before. Doctoral candidate Christopher Soghoian created the Northwest Airlines Boarding Pass Generator Web site to highlight the problem with airport security. At the site (http://www.dubfire.net/boarding_pass/), which has since been taken down, a person could enter a name and flight data (departure city, flight number, etc.) and print a fake Northwest Airlines boarding pass that would get him past airport security checkpoints. "I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call 'security theater.' It's made to make you think you're secure without actually making you secure," Soghoian told ABC News. "As a member of the academic research community, I consider this to be a public service." When Jim Harper, Director of Information Policy Studies at the Cato Institute, tried boarding a plane without a photo ID, he was asked to undergo "secondary screening" by airport security. After that, he was allowed to board the plane. He said that "secondary screening" actually had the advantage of allowing him to skip to the head of the security line. The fake boarding pass problem is not new; it has been discussed extensively prior to Soghoian's site. In fact, New York Sen. Charles Schumer, security expert Bruce Schneier, and a reporter at Slate Magazine have previously explained step-by-step how to create a fake boarding pass, in order to show the security problem. Christopher Soghoian's blog: http://slightparanoia.blogspot.com/ EPIC's Page on ID Cards: http://www.epic.org/privacy/id_cards/ Fake Boarding Pass Instructions: Bruce Schneier: http://www.schneier.com/crypto-gram-0308.html#6 Sen. Schumer: http://www.epic.org/redirect/sch_pass.html Slate Magazine: http://www.slate.com/id/2152507/ ======================================================================== [5] EPIC Launches Privacy and Domestic Violence Project ======================================================================== This October, Domestic Violence Awareness Month, EPIC launched its Domestic Violence and Privacy project. The project will focus EPIC's expertise on the privacy problems raised by domestic violence. Guilherme Roschke, a Skadden Fellow, will pursue the project over the next two years. Victims often share much of their private lives with their abusers, and thus are particularly exposed to privacy invasions. Furthermore, weak data protection and privacy invasive technologies can be exploited by abusers seeking to hurt their victims. What are normal privacy risks faced by us all become matters of life and death in the domestic violence and stalking context. The Domestic Violence and Privacy project will provide legal assistance to domestic violence practitioners. The goal of this work is to develop a two-way relationship between EPIC and domestic violence practitioners. EPIC's privacy expertise and research will aid the representation of client's whose privacy has been harmed. In turn, this experience with domestic violence practitioners will inform EPIC's general privacy advocacy work. With both of these practices, privacy protection for a vulnerable part of our community will be increased. Several specific privacy issues that EPIC works on affect domestic violence. The use of surveillance technologies such as spyware and other wiretaps. The use of pretexting to gain cell phone and other records. The use of personal information for identity theft. The protection of personal data in the hands of data brokers. The safeguarding of data in government and court records. The protection of confidential data in the hands of domestic violence service providers. Guilherme Roschke was an IPIOP Clerk at EPIC during the summer of 2005 when he developed the project, and is a graduate of the George Washington University Law School. The Skadden Fellowship Foundation is funding his project. EPIC's Page on Domestic Violence: http://www.epic.org/privacy/dom_violence/ Skadden Fellowship Foundation: http://www.skaddenfellowships.org EPIC's Page on the IPIOP Clerkship Program: http://www.epic.org/epic/jobs.html ======================================================================== [6] News in Brief ======================================================================== Consumer Privacy Groups File Complaint About Online Advertising The Center for Digital Democracy and the U.S. Public Interest Research Group have filed a complaint with the Federal Trade Commission, calling on the commission to undertake a formal investigation of online advertising practices. According to the organizations, data collection and interactive marketing is designed to track Internet users wherever they go, creating data profiles used in personalized "one-to-one" targeting schemes. The groups say privacy disclosure policies fail to effectively inform users what data are being collected and how that information is subsequently used. Complaint and Request for Inquiry and Injunctive Relief Concerning Unfair and Deceptive Online Marketing Practices (Nov. 1, 2006) (pdf): http://www.democraticmedia.org/PDFs/FTCadprivacy.pdf EPIC's Page on the Microsoft Passport Investigation: http://www.epic.org/privacy/consumer/microsoft/passport.html Privacy International Releases Report on Freedom of Information Laws Privacy International has released a survey that provides a comprehensive review of Freedom of Information Laws and practices in nearly 70 countries. "Freedom of Information Around the World 2006 Global Survey of Access to Government Information Laws" describes the growing world-wide movement to adopt Freedom of Information laws. More than a dozen countries have adopted new laws and decrees in the last two years. The survey also details many problems such as poorly drafted laws, lax implementation and an ongoing culture of secrecy in many countries. Freedom of Information Around the World 2006 Global Survey of Access to Government Information Laws (2006): http://www.privacyinternational.org/foi/survey EPIC's Open Government Project: http://www.epic.org/open_gov/ YouTube Shared User Data with Movie Studio. In response to a subpoena from Viacom Inc.'s Paramount Pictures, movie-hosting Web site YouTube turned over data on one of its users. Paramount then sued the creator of a 12-minute movie posted on YouTube that included dialogue from the movie studio's film "Lord of the Rings: The Two Towers. " The Digital Millennium Copyright Act (DMCA), allows a copyright owner or a person on the owner's behalf to ask a district court clerk "to issue a subpoena to a service provider for identification of an alleged [copyright] infringer." The act's subpoena provisions have previously been litigated in Verizon v. RIAA, in which EPIC filed a "friend of the court" brief. EPIC's Page on Verizon v. RIAA: http://www.epic.org/privacy/copyright/verizon/ Calif. Governor Uses Database on Consumer Habits to Target Voters California Gov. Arnold Schwarzenegger's campaign team has created a vast computer database on personal buying habits and voter records of millions of people in order to identify likely supporters. Names, phone numbers, addresses, consumer preferences, voting histories and other demographic information are being compiled. Campaign officials say the data allows them to target residents with phone calls, mailing, and home visits from campaign volunteers, with messages tailored to issues presumed to be important to the resident. Others have created similar databases to target potential voters, including President Bush's 2004 re-election team and the Democratic National Committee. EPIC's Page on ChoicePoint, a data broker: http://www.epic.org/privacy/choicepoint/ DNA database increasingly being used for property crimes The FBI's database of criminal DNA, CODIS (Combined DNA Index System), which was created to help solve violent crimes such as rape and murder, is increasingly being used in burglaries and other property crimes. In 10 states -- Alabama, Florida, Indiana, Michigan, Missouri, New Mexico, Ohio, Oregon, Virginia and Wisconsin -- the total number of DNA matches in property crimes cases has exceeded the number of matches in violent crimes. Some experts attribute the rise in property crime matches to increasingly sophisticated DNA testing and the fact that government funds for DNA analysis, once limited to testing matches in violent crimes, can now be used in property crimes. For 17 years, the states, federal government, and military have collected DNA from those convicted of felonies (more recently, some states have begun collecting DNA samples from people convicted of misdemeanors or arrested for certain felonies). The database contains profiles from approximately 3.5 million people. EPIC's Page on Genetic Privacy: http://www.epic.org/privacy/genetic/ Firefox Introduces Flawed Anti-Phishing Feature The anti-phishing technique in Firefox 2.0 transmits the URL of each Web site a user visits to Google. Google says that it will compare the URL with a database of known fraudulent sites, but Google has not said what else it might do with the URLs it collects. "Phishing Protection" is turned on by default in Firefox 2. Earlier this year, a federal judge made clear that there were privacy interests in the collection and disclosure of URLs and search terms. EPIC has identified privacy problems with other Google services, such as Gmail, including the fact that Google is building profiles on Internet users by aggregating data from seacrh histories and different Google services. Firefox, "Phishing Protection": http://www.mozilla.com/en-US/firefox/phishing-protection/ Gonzales v. Google, Inc., No. CV 06-8006MISC JW (Mar. 17, 2006) (pdf): http://www.google.com/press/images/ruling_20060317.pdf EPIC's Page on Gmail Privacy: http://www.epic.org/privacy/gmail/faq.html ======================================================================== [7] EPIC Bookstore: Aviel Rubin's "Brave New Ballot" ======================================================================== "Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting" by Aviel Rubin (Morgan Road 2006). http://www.powells.com/partner/24075/biblio/0767922107 Dr. Aviel Rubin is a Professor of Computer Science at Johns Hopkins University and an advocate for electronic voting technology reform. His book recounts his evolution from seeing electronic voting security as an interesting academic or research problem, to a serious threat to our nation's democracy. Dr. Rubin along with other computer technologists have brought their knowledge about computer system vulnerabilities to the debate on modernizing elections. A few years ago, Dr. Rubin published a critical report about Diebold's AccuVote-TS voting technology sold to the state of Maryland. The book lays out the case that, when the largest supplier of paperless electronic voting systems, Diebold Election Systems, was presented with evidence that one of its most popular voting models had serious security flaws, they attacked the messenger. Diebold's reaction to the report was to unleash a personal and professional attack against Dr. Rubin. For those who think that the debate about electronic voting technology is just a polite discussion and not a battle -- read Dr. Rubin's book. This is a great book for those interested in learning about one of the many heroes who labored to speak truth to the powers that be and move the issue of electronic voting technology security from the notice of technologists to front page news. -- Lillie Coney ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2005: An International Survey of Privacy Laws and Developments" (EPIC 2006). Price: $60. http://www.epic.org/bookstore/phr2005/phr2005.html This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== 28th International Data Protection and Privacy Commissioners' Conference. November 2-3, 2006. London, United Kingdom. For more information: http://www.privacyconference2006.co.uk/ BSR 2006 Annual Conference. Business for Social Responsibility. November 7-10, 2006. New York, New York. For more information: http://www.bsr.org/BSRConferences/index.cfm Assessing Current Privacy Issues. Riley Information Services, Inc. February 21, 2007. Ottawa, Ontario, Canada. For more information: http://www.rileyis.com/seminars/ 5th Conference on Privacy and Public Access to Court Records. Center for Legal and Court Technology and Administrative Office of the United States Courts. March 22-23, 2007. Williamsburg, Virginia. For more information: http://www.courtaccess.org/ CFP2007: Computers, Freedom, and Privacy Conference. Association for Computing Machinery. May 2007. Montreal, Canada. For more information: http://www.cfp2007.org ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 13.22 ------------------------- .