EPIC logo


        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @

    Volume 9.01                                   January 14, 2002

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] State DMVs Developing National ID System
[2] EPIC Urges Qwest to Drop Marketing Plan
[3] Court Upholds FBI Use of Secret "Key Logger" Technology
[4] Companies Stop Privacy-Invasive Practices
[5] Student Privacy Protections Enacted
[6] Digital Rights Management Discussed at Future of Music Conference
[7] EPIC Bookstore - A National ID Card: A License to Live
[8] Upcoming Conferences and Events

[1] State DMVs Developing National ID System

A Task Force of the American Association of Motor Vehicle
Administrators (AAMVA) announced plans today to increase uniformity of
state driver's licenses and information sharing between states and law
enforcement agencies.  The AAMVA proposal combines several
initiatives, each with very different privacy implications, and asks
for $100 million in federal funding to determine what technology
should be used and to expand information sharing capacity.  Efforts to
enhance document security and prevent forgery, such as improved
holograms and printing techniques, are a positive application of
technology to the driver's license regime.  The AAMVA also advocates
stricter enforcement and tougher penalties for fraud and abuse of
driver's licenses occurring inside and outside of DMVs.

Standardization of driver's license security features and issuance
standards across the 50 states, as well as information sharing with
federal agencies and state law enforcement, would make the driver's
license a de facto national identity card.  The AAMVA has not
disclosed how the detailed personal information required to obtain a
license, including residency and immigration status and social
security information, will be collected, used and shared under the new
program.  The AAMVA has also proposed making the driver's license a
unique identifier.  While they have not yet determined what technology
will be implemented, they plan to use biometric or other identifiers
to positively ensure that license applicants are who they say they
are, and that no person holds more than one license.  This proposal
presents the most significant privacy and security risks, which are
detailed in EPIC's ID Card and Biometrics pages referenced below.

The possible creation of national identification cards through
driver's licenses deserves careful examination and open public
discussion.  EPIC is in the process of drafting a memo discussing the
risks and policy implications of national identification schemes, to
be prepared in time for the AAMVA's leadership summit, where the heads
of the state DMVs will discuss the task force's recommendations.

AAMVA's website (including an archived webcast of the January 14th
press conference):


EPIC's ID Card Page:

EPIC's Biometrics Page:


[2] EPIC Urges Qwest to Drop Marketing Plan

Last week, millions of Qwest customers across the country received
opt-out notices in their monthly billing statements.  The notices,
which were contained within a pamphlet that said "the following will
not affect your billing," provided that Qwest could use customer
calling data -- information such as services subscribed to and call
logs -- unless customers opted-out of this plan by calling a toll-free
number within 30 days.

Customers attempting to call the toll-free number to opt-out have
reported numerous difficulties, including long waits and disconnects.

The information that Qwest is planning on using is known as customer
proprietary network information, and is protected from use absent
"customer approval" by the 1996 Communications Act.  The FCC
promulgated a rule in 1998 that required telecommunication carriers to
obtain explicit customer approval (opt-in) before using such
information in any manner inconsistent with provision of services. The
FCC explicitly rejected an opt-out approach as insufficiently
protective of customer privacy.  However, in 1999 the US Court of
Appeals for the 10th Circuit ruled that the opt-in approach did not
pass First Amendment scrutiny because the decision to require "opt-in"
was not adequately considered or supported by existing facts.

In response to this 1999 court decision, the FCC in October 2001
issued a request for public comments, seeking advice on, among other
things, whether an opt-in approach inherently violates the First
Amendment.  EPIC and consumer groups filed comments and reply comments
urging the FCC to implement an opt-in approach.  Similar comments were
filed by 39 Attorneys General.

In a letter sent to Qwest President Afshin Mohebbi on January 7, EPIC
urged Qwest to suspend their marketing plan.

Although the initial comment period closed in November, the FCC has
announced -- in the wake of Qwestís implementation of their marketing
plan -- that they will continue to accept comments from anyone wishing
to express their opinion in this ongoing debate.  Consumers wishing to
do so can comment by e-mail: <fccinfo@fcc.gov> or by regular mail:
FCC, 445 12th St. S.W., Washington, D.C. 20554, attn: Consumer
Information Bureau.  Reference Docket No. 96-115.

EPIC's comments are available at:

EPICís reply comments are available at:


Attorneys General comments are available at:


EPICís letter to Qwest President Afshin Mohebbi:


[3] Court Upholds FBI Use of Secret "Key Logger" Technology

In a decision issued on December 26, a federal judge in New Jersey
upheld the legality of the FBI's use of a "key logger system" secretly
installed on a suspect's computer to capture his encryption passphrase
and denied a defense motion to suppress evidence obtained through the
technique.  U.S. District Judge Nicholas Politan also allowed
prosecutors to keep secret the specifics of the technology, saying
disclosure "would cause identifiable damage to the national security
of the United States."  The government had earlier invoked the
Classified Information Procedures Act (CIPA) to conceal details of the
surveillance system (see EPIC Alert 8.16).

The gambling and loansharking case aginst defendant Nicodemo Scarfo,
Jr. has become the first to test the legality of law enforcement
efforts to counter the use of encryption.  The events of September 11
seem to have had an influence in the case; Judge Politan wrote in the
first paragraph of his opinion that "the matter takes on added
importance in light of recent events and potential national security
implications."  Prosecutors and FBI officials met privately with the
judge on Sept. 28 to present "top-secret, classified evidence" about
the system and its use in national security investigations.

Scarfo's lawyers had argued that the "key-logger system" violated both
the Fourth Amendment (by collecting more information than needed) and
the federal wiretap statute (by intercepting modem transmissions
without a wiretap order).  They asserted that they needed, through
pre-trial discovery, a detailed explanation of the technology to
determine whether its use was improper.  Politan ruled that an
unclassified "summary" report on the system's capabilities provided
the defense with an adequate description.

The case will proceed to trial sometime in 2002; if convicted, Scarfo
could raise the discovery and suppression issues on appeal.

The court's opinion is available at:


Other selected court documents on the Scarfo case are available at:


[4] Companies Stop Privacy-Invasive Practices

This month, two large companies revealed that they were putting an end
to practices with major privacy implications, thereby sending an
important message to other industry groups that violation of consumer
privacy is not a profitable or useful enterprise.

First, as initially reported by CNET, DoubleClick has decided to
discontinue its profiling services.  Effective December 31, 2001, the
company no longer offers the targeted marketing that was once central
to its business plan.  Relying on techniques such as cookies and
web-bugs to track users on the Internet, over the years DoubleClick
built up profiles on millions of individuals' surfing habits,
preferences, and past purchases.  As a result, it earned considerable
notoriety as one of the worst invaders of personal privacy on the
Internet.  In February 2000, following complaints from EPIC and
others, the Federal Trade Commission launched a formal investigation
of the company when it was reveale d that it planned to link
personally identifiable information to these formerly anonymous
Internet profiles.  That investigation was officially closed in
January 2001, consequent to DoubleClick's commitment to abide by
self-regulatory guidelines for online profiling (see EPIC Alert 8.02).

Second, Dollar Rent-a-Car has ended its practice of requiring
customers to be fingerprinted before renting a vehicle, because the
effort failed to meet its goal of reducing theft and fraud.  Mr. Jim
Senese, Vice President of Quality Assurance at Dollar, is reported by
the Washington Post as saying that although there was some reduction
in car theft over the course of the program, any savings that were
made did not compensate for the number of customers who were
"irritated" by having to give thumbprints to the company.

In a related development on fingerprinting, a federal judge ruled last
week that the technology used to "match" fingerprints does not meet
standards set by the Supreme Court for scientific evidence.  Judge
Louis Pollak of the U.S. District Court found that expert witnesses
cannot rely on fingerprint analysis, which compares near perfect
prints taken at the police station to partial smudges or latent prints
from a crime scene, to conclusively determine that the latent print is
that of the accused person.  In what has been described as a
"blockbuster opinion," Judge Pollak's ruling casts doubt upon the
increased use of fingerprints as unique identifiers by private and
public organizations, and may affect the evaluation of other forensic
techniques such as handwriting and hair analysis.

Background information on DoubleClick:

CNET article on DoubleClick, January 8, 2002:


Washington Post article on Dollar Rent-a-Car, January 9, 2002:


New York Times article on Justice Pollak's decision, January 11, 2002:


[5] Student Privacy Protections Enacted

In December, Congress passed limited privacy protections for students.
The protections were passed because a number of companies collect
personal information from children while they are at school for
marketing purposes.  Much of this profiling is conducted under the
pretense of college admissions or job recruitment purposes, and
parents are often not notified of the privacy policies associated with
the information collection.  Companies such as American Student List
sell the survey data in profiles that include children's names,
contact information, sex, age, whether they own a telephone, income,
religion, and their race or ethnicity.

The protections, included in H.R. 1, the "No Child Left Behind Act of
2001," were primarily supported by Sen. Christopher Dodd (D-CT) and
Sen. Richard Shelby (R-AL).  The original Dodd-Shelby proposal
included notice and opt-in protections for all commercial collection
of data from schoolchildren.  However, compromise language was adopted
after a lobbying push by the student profiling industry.

The new protections grant parents the right to inspect all surveys
administered at school that were written by third parties.  Local
education agencies, which are defined as schools, school districts, or
boards of education, must give notice of "arrangements to protect
student privacy" and allow the parent to opt a child out of
participation where the survey instrument contains questions seeking
political affiliations, mental or psychological information, sexual
behavior, criminal behavior, income, or religious belief.  Parents may
also opt children out of surveys that collect personal information for
marketing purposes.

These new protections contain significant loopholes.  The opt-out for
marketing does not apply where the information collection is for
magazine subscriptions or for "student recognition programs." 
However, magazine marketing is a significant purpose of student
profiling.  In addition, some student recognition programs have a
significant marketing component.

H.R. 1, The No Child Left Behind Act of 2001 (see section 1061):


EPIC's Profiling Page:


[6] Digital Rights Management Discussed at Future of Music Conference

The Future of Music Coalition (FMC) held its second annual policy
summit on January 7-8, 2002, in Washington, D.C.  Many topics were
discussed that relate to issues of music and technology policy,
copyright law, and other areas of interest to musicians, the media,
policymakers, and the public.

The emphasis of the conference was on finding ways to protect the
interests of artists and copyright holders, as well as the
music-loving public, in a constantly changing technological
environment.  There was also much talk of Digital Rights Management
(DRM) and its efficacy as an anti-piracy technique.

Notably, in a keynote speech, Rep. Rick Boucher (D-VA) said that he
will take steps to nurture the broad availability of music on the
Internet, and that he intends to introduce a bill that would eliminate
the anti- circumvention clause of the DMCA (section 1201).

Panelist bios, transcripts, and more post-conference information is
currently available at the Future of Music Coalition website.

Links to FMC conference materials and press coverage:


EPIC's new Digital Rights Management Page:


[7] EPIC Bookstore - A National ID Card: A License to Live

A National ID Card: A License to Live, by Robert Ellis Smith


Just in time to illuminate a new national debate, A National ID Card:
A License to Live brings together the provocative writings of Robert
Ellis Smith, publisher of Privacy Journal newsletter, on the serious
consequences of adopting a mandatory universal identity document. This
book includes a bibliography on the subject, a list of other nations
and their ID practices, a history of IDs and Social Security Numbers
in the U.S., and a frank discussion of airport security that
distinguishes the window-dressing from the workable solutions.

This book is also available from Privacy Journal at:



EPIC Publications:

"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information


"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/

The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore

     "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

** POSTPONED! ** First Privacy Expo 2001. Privacy & American Business
and Privacy Council. Was November 27-29, 2001; will be rescheduled for
February or March 2002. Washington, DC. For more information:

** POSTPONED! ** Eighth Annual National "Managing the NEW Privacy
Revolution" Conference. Privacy & American Business and Privacy
Council. Was November 28-29, 2001; will be rescheduled for February or
March 2002. Washington, DC. For more information: info@pandab.org

Chief Privacy Officer Skills Development Workshop. PRIVA-C and Select
Knowledge. January 14-16, 2002 and February 18-20, 2002. Dallas, TX.
For more information: http://www.priva-c.com/cpoworkshop/

Closing 'Windows' on Antitrust or Opening a New Era of Intervention?:
Competition Policy after the Microsoft Settlement. CATO Institute.
January 16, 2002. Washington, DC. For more information:

Debating Privacy and ICT: Before and After September 11th. Rathenau
Instituut. January 17, 2002. Amsterdam, The Netherlands. For more
information: http://www.privacyconference.nl/

Eye in the Sky and Everywhere Else: Do Biometric Technologies Violate
Our Rights? CATO Insitute. January 24, 2002. Washington, DC. For more
information: http://www.cato.org/events/020124pf.html

National Conference on Organized Resistance. American University
Animal Rights Effort. January 25-27, 2002. Washington, DC. For more
information: http://www.organizedresistance.org/

The Biometric Consortium Conference. February 13-15, 2002 (rescheduled
from September 12-14, 2001). Arlington, VA. For more information:

CLA 6th Annual Cyberspace Camp Conference. Computer Law Association.
February 14-16. San Jose, CA. For more information: 

Moving to the Forefront of Privacy Management for Bank & Financial
Services Executives. World Research Group. February 26-28, 2002. New
Orleans, LA. For more information: http://www.worldrg.com/

2nd Annual BNA Summit: Combatting Cyber Attacks on your Corporate
Data. Bureau of National Affairs. February 27-28, 2002. Washington,
DC. For more information: http://cybersecurity.pf.com

International Symposium on Freedom of Information and Privacy. Office
of the New Zealand Privacy Commissioner. March 28, 2002. Auckland, New
Zealand. For more information: Blair.Stewart@privacy.org.nz

Workshop on Privacy Enhancing Technologies. April 14-15, 2002. San
Francisco, CA. For more information: http://www.pet2002.org/

CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy.
April 16-19, 2002. San Francisco, CA. For more information:

2002 IEEE Symposium on Security and Privacy. IEEE and the
International Association for Cryptologic Research. May 12-15, 2002.
Oakland, CA. For more information:

INET 2002. Internet Society. June 18-21, 2002. Washington, DC. For
more information: http://www.isoc.org/inet2002/

Subscription Information

Subscribe/unsubscribe via Web interface:


Subscribe/unsubscribe via email:

     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe"

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, or if you have any
other questions.

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:



Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

   ---------------------- END EPIC Alert 9.01 -----------------------