EPIC logo

    ==============================================================

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @

    ==============================================================
    Volume 9.02                                   January 29, 2002
    --------------------------------------------------------------

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

              http://www.epic.org/alert/EPIC_Alert_9.02.html

=======================================================================
Table of Contents
=======================================================================

[1] Qwest Backs Down from Opt-Out Marketing Plan
[2] State AGs Urged to Protect Consumers from Microsoft Passport
[3] EPIC Files FOIA Suit for Profiling Records
[4] FTC Proposes Telemarketing Do-Not-Call List
[5] Policy Forum Debates Face Recognition Technology
[6] Eli Lilly Settles with FTC over Privacy Violation
[7] EPIC Bookstore - Privacy and the Information Age
[8] Upcoming Conferences and Events

=======================================================================
[1] Qwest Backs Down from Opt-Out Marketing Plan
=======================================================================

Qwest Communications announced on Monday that it is withdrawing its
plan to share private customer information, which was implemented
during the December billing period.  Citing numerous customer
concerns, the company has stated that it will wait until the Federal
Communications Commission (FCC) has proposed a final rule on the
issue.

This decision followed a nationwide campaign, led by EPIC, to force
Qwest to change its policy.  EPIC wrote to Qwest President Afshin
Mohebbi in early January, urging him to suspend the plan to use
telephone-call records for marketing purposes.  Others vociferously
opposed to the company's opt-out policy included Washington State
Attorney General Christine Gregoire, Minnesota Senator Paul Wellstone,
and the Arizona Corporation Commissioners.

Qwest is the first company in the telecom industry to announce that it
will not share private customer account information until the FCC has
had an opportunity to issue new rules on the process.  SBC-Ameritech
and Verizon -- both of which also implemented opt-out plans in the
last month -- have stated no similar intention of withdrawing their
information-sharing plans.

The Telecommunications Act of 1996 required telecommunications
companies to obtain customers' approval prior to sharing customer
proprietary network information (CPNI), or data collected by
telecommunications corporations about a consumer's telephone calls,
with third parties.  EPIC and other privacy advocates and consumer
rights groups argued that "approval" implied that a consumer had to
give positive, express consent to the sharing of information: that is,
to "opt-in" to the marketing scheme.  Telecommunications companies
argued that they could start from a presumption of approval, and allow
customers the choice to "opt-out" of the marketing program by
explicitly withdrawing their consent.  In 1998, the FCC instituted a
rule requiring that customers "opt-in" to the marketing program for
personal information contained in their CPNI to be shared or used for
marketing purposes.

U.S. West (now Qwest) challenged the FCC rule in the 10th Circuit
court of appeals, which found that the FCC had failed to provide
adequate evidence to establish that the rule furthered a substantial
government interest, that it materially advanced such an interest, and
that it was narrowly tailored to serve that interest.  In October
2001, the FCC initiated a rulemaking procedure on the issue by
requesting comments from all parties to create a more complete record.

EPIC initiated the campaign for opt-in by filing comments and reply
comments at the FCC last November.  Following Qwest's implementation
of an opt-out policy, the FCC announced that it would continue to
accept comments from consumers wishing to express their opinion in
this ongoing debate.  Consumers wishing to do so can comment by e-mail
at fccinfo@fcc.gov or by regular mail: FCC, 445 12th St. S.W.,
Washington, D.C. 20554, attn: Consumer Information Bureau.  Reference
Docket No. 96-115.

For a history of the CPNI debate, see EPIC's CPNI page:

     http://www.epic.org/privacy/cpni/

=======================================================================
[2] State AGs Urged to Protect Consumers from Microsoft Passport
=======================================================================

EPIC sent a letter today to state attorneys general across the nation
urging them to protect citizens from the privacy and security risks of
Microsoft Passport through the use of state laws against unfair and
deceptive trade practices.

Microsoft Passport is an online identification and authentication
system that enables profiling of individuals' browsing, shopping, and
content consumption behaviors.  Microsoft officials have publicly
stated that the company's goal is to have every Internet user in the
Passport system.  Through tying Passport to the Windows XP operating
system, and to an ever-increasing number of web site registrations,
Microsoft claims over 200 million Passport accounts.

Microsoft appears to have violated state laws by failing to provide
adequate notice of the privacy and security risks raised by Passport.
Additionally, Microsoft likely violated state laws by representing
that Passport gives users control of their data when in reality,
Microsoft has control of user data.

State laws often provide broader consumer protections than federal
statutes.  For instance, in California, the protection of privacy
against government and business interests is an inalienable right that
is embodied in the state Constitution.  California has a public policy
and mandate to protect consumers.  Through interpretation of this
mandate, the California Attorney General, or private persons, could
initiate a lawsuit to protect consumers from Microsoft Passport.

In two previous filings with the Federal Trade Commission (FTC),
fifteen privacy and consumer protection organizations urged the
Commission to investigate Microsoft Passport and related services.
Since filing these complaints, there have been numerous security
breaches in the Passport system; however, the Commission has taken no
public action to investigate Microsoft.

EPIC's Letter to State Attorneys General:

     http://www.epic.org/privacy/consumer/microsoft/stateagletter.html

EPIC's "Sign Out of Passport" Page:

     http://www.epic.org/privacy/consumer/microsoft/

=======================================================================
[3] EPIC Files FOIA Suit for Profiling Records
=======================================================================

On January 21, EPIC asked a federal court to order the disclosure of
records regarding the sale of personal information to law enforcement
agencies.  Government access to personal data has become more
controversial since September 11 as anti-terrorism investigative
powers have been expanded.  In a complaint filed in federal district
court, EPIC charged that the Departments of Justice and Treasury have
violated the law by failing to respond to a series of Freedom of
Information Act (FOIA) requests that EPIC has submitted.  The FOIA
requests sought records relating to "transactions, communications, and
contracts" between law enforcement agencies and private firms that are
engaged in the sale of personal information.

The information requests were submitted in response to news reports
that ChoicePoint, a profiling company, routinely sells personal
information to federal law enforcement agencies.  The requests were
filed with the Federal Bureau of Investigation, the Drug Enforcement
Agency, the United States Marshals Service, the Internal Revenue
Service, the Immigration and Nationalization Service, and the Bureau
of Alcohol, Tobacco and Firearms.

"Through the mining of public records and the purchase of credit
reporting data, private sector companies are amassing troves of
personal information on citizens for the government," said EPIC
attorney Chris Hoofnagle, who filed the court challenge.  "Serious
questions exist involving citizen access to profiles, their accuracy,
and the potential for misuse of personal information."

Documents obtained by EPIC show that ChoicePoint and Experian, another
profiling company, sold the IRS credit header data, property records,
state motor vehicle records, marriage and divorce data, and
international asset location data.  IRS employees have access to this
personal data from their desktop computers.  To facilitate the IRS
account and access for other law enforcement agencies, ChoicePoint has
created a federal government web portal at http://www.cpgov.com/.

"ChoicePoint and Experian are selling profiles on citizens with little
public awareness or oversight," said Hoofnagle.  "We need to ask
ourselves: who is watching the watchers?"

The complaint in EPIC v. Department of Justice, et al. is online at:

     http://www.epic.org/privacy/litigation/profilingcomplaint.html

EPIC's Consumer Profiling Page:

     http://www.epic.org/privacy/profiling/

EPIC's Public Records Profiling Page:

     http://www.epic.org/privacy/publicrecords/

=======================================================================
[4] FTC Proposes Telemarketing Do-Not-Call List
=======================================================================

On January 22, the Federal Trade Commission (FTC) issued a Notice of a
Proposed Rulemaking to amend the Telemarketing Sales Rule (TSR).  The
Rule was issued in August 1995 pursuant to the Telemarketing Consumer
Fraud and Abuse Prevention Act of 1994 to protect consumers from
invasive and fraudulent telemarketing practices.  It currently
restricts telemarketing calls to between the hours of 8:00 a.m. and
9:00 p.m., requires telemarketers to identify calls as sales calls,
and prohibits deceptive or false sales pitches.  The proposed
amendment to the rule would create a national Do-Not-Call (DNC) list
for individuals who wish to avoid sales calls, prohibit the use of
"pre-acquired account information" in telemarketing, and prohibit
telemarketers from blocking or circumventing Caller-ID systems.

Increased protection for consumers from unwanted or fraudulent
telemarketing was included as a key part of the FTC's new privacy
agenda, which was released by Chairman Muris on October 4, 2001 (see
Alert 8.20).  The move is supported by privacy and consumer advocates
who point out that Congress clearly intended the creation of a
national Do-Not-Call (DNC) list when it passed the Telephone Consumer
Protection Act of 1991.  That Act authorized the Federal
Communications Commission (FCC) to issue regulations that would allow
individuals to opt out of telemarketing calls in an efficient manner
and without cost.  Congress specifically noted that this "may require
the establishment and operation of a single national database" of
telephone numbers of individuals who had opted out.  The FCC, however,
under pressure from the Direct Marketing Association and other
industry lobbyists, decided instead to implement a more limited system
whereby individuals have to opt out of calls on a company-by-company
basis.

The FTC is encouraging the public to comment on the proposed changes.
Written comments will be accepted until March 29, 2002.  The FTC will
then hold a public forum to discuss the issues raised during the
comment period.  Notice of intention to participate in this event must
also be submitted before March 29, 2002.

The Notice of Rulemaking is available at:

     http://www.ftc.gov/os/2002/01/16cfr310.pdf

The current Telemarketing Sales Rule is available at:

     http://www.ftc.gov/bcp/telemark/rule.htm

For more information on telemarketing, visit EPIC's Telemarketing
Information Page:

     http://www.epic.org/privacy/telemarketing/

and Junkbusters' Telemarketing Information Page:

     http://www.junkbusters.com/telemarketing.html

=======================================================================
[5] Policy Forum Debates Face Recognition Technology
=======================================================================

The Cato Institute hosted a policy forum entitled "Eye in the Sky and
Everywhere Else: Do Biometric Technologies Violate Our Rights?" on
January 24, 2002.  Forum panelists debated the role that emerging
biometric technologies could play in future society.  Frances Zelazny,
Head of Corporate Communications at Visionics, one of the leading
biometric vendors, saw face recognition technology being used for
access control, surveillance, background checks, and the creation of
secure IDs.  Zelazny favorably cited the example of Newham, a small
crime-ridden borough of London, England, where face recognition
technology was used in conjunction with a saturation of surveillance
cameras to reduce the crime rate.  She noted that the success of the
system depended on the quality of images enrolled in the database, the
participation of the subjects whose images are being captured, and the
threshold of acceptance for false positive and false negative matches.

Visionics suggests using internal privacy guidelines that include "no
match, no memory," but seeks responsible public policy to put in place
oversight and audit mechanisms to control the technology.  Dorothy
Denning, professor of computer science at Georgetown University,
reflected more broadly on the potential uses of biometric technology.
She suggested that the use of this technology for authentication and
anti-fraud purposes is relatively uncontroversial while its use in
identification and profiling raises important public policy questions.

John Woodward, Jr., Senior Policy Analyst from RAND, echoed Visionics'
call for responsible use of surveillance systems.  He argued that both
the up-front deployment of the surveillance system and, more
significantly, the back-end databases need to be strictly regulated
with regards to the information they collect and link with.
Pre-September 11, Woodward conceded that the key question confronting
policymakers was whether face recognition technology should be
deployed in public.  Post-September 11, however, the question is how
such technology can be used.  Woodward believes that face recognition
technology can be used effectively to "keep bad people away."  He also
argued that there is no right to privacy in the facial features one
shows in public, and therefore face recognition technology does not
implicate any rights violation.

Marc Rotenberg, Executive Director of EPIC, took a different position
on the rights violated by new surveillance technologies.  He argued
that these systems compel a person's identity in a public place, and
that there is a long tradition in American constitutional law that
protects people from such coercive action by enforcement authorities
(see EPIC's amicus brief in the Watchtower Bible case).  Rotenberg
drew a parallel between new surveillance technology and wiretap
technology in the late 1920s.  While surveillance technology is still
in its infancy, he argued that Congress needs to develop laws, as it
did for wiretaps, to limit the indiscriminate and unregulated use of
such technology.  Face recognition and other biometric identification
technologies are "Technologically Assisted Physical Searches" (TAPS),
suggested Rotenberg, and must have similar protections and oversight
mechanisms as physical searches have in the law today.

American Bar Association (ABA) TAPS Guidelines:

     http://www.abanet.org/crimjust/standards/taps_toc.html

Issue Paper: Biometrics: Facing Up to Terrorism, by John D. Woodward,
Jr.:

     http://www.rand.org/publications/IP/IP218/

Visonics Privacy Protection Principles:

     http://www.faceit.com/newsroom/biometrics/privacy.html
    
EPIC Face Recognition Page:

     http://www.epic.org/privacy/facerecognition/

EPIC's Watchtower Bible Amicus Brief (PDF):

     http://www.epic.org/anonymity/watchtower.pdf

=======================================================================
[6] Eli Lilly Settles with FTC over Privacy Violation
=======================================================================

On January 18, the Federal Trade Commission (FTC) announced a
settlement in a case involving Eli Lilly and Company's accidental
disclosure of the email addresses of 700 subscribers of a mental
health information list.  The FTC acted in response to a July 2001
American Civil Liberties Union (ACLU) complaint highlighting Lilly's
negligence and requesting that the FTC take appropriate action.

This is the first settlement of its kind resulting from negligence.
J. Howard Beales, III, Director of the Bureau of Consumer Protection
at the FTC, emphasized that even an unintentional release of sensitive
medical information is a serious privacy breach.  Further, the FTC
alleged that claims of privacy and confidentiality found in Lilly's
privacy policies were deceptive due to Lilly's failure to implement a
system to adequately protect sensitive information.

While the settlement did not involve the exchange of money, it did
involve a promise on the part of Lilly to take appropriate security
measures to protect consumer privacy.  Under the settlement, Lilly is
specifically required to designate personnel to coordinate and oversee
a data protection program, identify risks to the security,
confidentiality, and integrity of personal information, and to address
these risks in all areas of its operations.  Lilly must also conduct
an annual written review to monitor compliance with the program,
evaluate its effectiveness, and recommend any necessary changes.

In response to the settlement, FTC Commissioner Orson Swindle stated
that "Lilly's responsiveness and its efforts to improve corporate
privacy practices can be a model for others to follow."

The FTC voted 5-0 to accept the proposed settlement, and an
announcement will soon be published in the Federal Register regarding
the proposed consent agreement.  The agreement will then be subject to
public comment, after which the Commission will decide whether to make
it final.

The FTC's press release outlining the settlement is available at:

     http://www.ftc.gov/opa/2002/01/elililly.htm

The July 2001 ACLU complaint is available at:

     http://www.aclu.org/news/2001/n070501b.html

=======================================================================
[7] EPIC Bookstore - Privacy and the Information Age
=======================================================================

Privacy and the Information Age, by Serge Gutwirth, for the Rathenau
Institute. Translated by Raf Casert.

     http://www.epic.org/bookstore/features/redirect.html

Privacy and the Information Age is an English translation, new for
2002, of Serge Gutwirth's 1998 "Privacyvrijheid."  In this book,
Gutwirth illustrates his thesis that privacy involves much more than
just the protection of personal data; it is the fundamental
safeguarding of an individual's freedom to decide whether he/she would
like that data to be known or shared.  Drawing on many international
sources, Gutwirth examines challenges to privacy posed by new
technologies, ultimately arguing that privacy is central to personal
freedom, and that personal freedom is central to democracy.

                   ================================

EPIC Publications:

"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/phr2001/

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
laws.

                   ================================

"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/

The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.

                   ================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0/

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.

                   ================================

"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls/

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.

                   ================================

"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.

                   ================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore
     http://www.epic.org/bookstore/

     "EPIC Bookshelf" at Powell's Books
     http://www.powells.com/features/epic/epic.html

=======================================================================
[8] Upcoming Conferences and Events
=======================================================================

** POSTPONED! ** First Privacy Expo 2001. Privacy & American Business
and Privacy Council. Was November 27-29, 2001; will be rescheduled for
February or March 2002. Washington, DC. For more information:
info@pandab.org

** POSTPONED! ** Eighth Annual National "Managing the NEW Privacy
Revolution" Conference. Privacy & American Business and Privacy
Council. Was November 28-29, 2001; will be rescheduled for February or
March 2002. Washington, DC. For more information: info@pandab.org

Second Annual Privacy and Data Security Summit. Privacy Officers
Association. January 30-February 1, 2002. Washington, DC. For more
information: http://www.privacyassociation.org/html/conferences.html

The Biometric Consortium Conference. February 13-15, 2002 (rescheduled
from September 12-14, 2001). Arlington, VA. For more information:
http://www.nist.gov/bcfeb02/

Congressional Briefing on Cybersecurity. Forum on Technology &
Innovation. February 14, 2002. Washington, DC. For more information:
http://www.tech-forum.org/

CLA 6th Annual Cyberspace Camp Conference. Computer Law Association.
February 14-16. San Jose, CA. For more information:
http://www.cla.org/cal_camp.htm

Moving to the Forefront of Privacy Management for Bank & Financial
Services Executives. World Research Group. February 26-28, 2002. New
Orleans, LA. For more information: http://www.worldrg.com/

2nd Annual BNA Summit: Combatting Cyber Attacks on your Corporate
Data. Bureau of National Affairs. February 27-28, 2002. Washington,
DC. For more information: http://cybersecurity.pf.com/

Understanding Privacy: New Laws, New Challenges. BC Freedom of
Information and Privacy Association (FIPA). March 11-12, 2002.
Vancouver, British Columbia, Canada. For more information:
http://ellisriley.on.ca/fipa/

HIPAA Summit West II: The Leading Forum on Healthcare Privacy,
Confidentiality, Data Security, and HIPAA Compliance. March 13-15,
2002. San Francisco, CA. For more information:
http://www.hipaasummit.com/

Fourth Annual e-ProtectIT Infrastructure Security Conference. Norwich
University. March 20-22, 2002. Northfield, Vermont. For more
information: http://www.e-protectIT.org/

International Symposium on Freedom of Information and Privacy. Office
of the New Zealand Privacy Commissioner. March 28, 2002. Auckland, New
Zealand. For more information: Blair.Stewart@privacy.org.nz

Workshop on Privacy Enhancing Technologies. April 14-15, 2002. San
Francisco, CA. For more information: http://www.pet2002.org/

CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy.
April 16-19, 2002. San Francisco, CA. For more information:
http://www.cfp2002.org/

2002 IEEE Symposium on Security and Privacy. IEEE and the
International Association for Cryptologic Research. May 12-15, 2002.
Oakland, CA. For more information:
http://www.ieee-security.org/TC/SP02/sp02index.html

INET 2002. Internet Society. June 18-21, 2002. Washington, DC. For
more information: http://www.isoc.org/inet2002/

=======================================================================
Subscription Information
=======================================================================

Subscribe/unsubscribe via Web interface:

     http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Subscribe/unsubscribe via email:

     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe"

Back issues are available at:

     http://www.epic.org/alert/
 
The EPIC Alert displays best in a fixed-width font, such as Courier.

=======================================================================
Privacy Policy
=======================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, or if you have any
other questions.

=======================================================================
About EPIC
=======================================================================

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

     http://www.epic.org/donate/

=======================================================================

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.

=======================================================================

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

   ---------------------- END EPIC Alert 9.02 -----------------------


.