============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.02 January 29, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.02.html ======================================================================= Table of Contents ======================================================================= [1] Qwest Backs Down from Opt-Out Marketing Plan [2] State AGs Urged to Protect Consumers from Microsoft Passport [3] EPIC Files FOIA Suit for Profiling Records [4] FTC Proposes Telemarketing Do-Not-Call List [5] Policy Forum Debates Face Recognition Technology [6] Eli Lilly Settles with FTC over Privacy Violation [7] EPIC Bookstore - Privacy and the Information Age [8] Upcoming Conferences and Events ======================================================================= [1] Qwest Backs Down from Opt-Out Marketing Plan ======================================================================= Qwest Communications announced on Monday that it is withdrawing its plan to share private customer information, which was implemented during the December billing period. Citing numerous customer concerns, the company has stated that it will wait until the Federal Communications Commission (FCC) has proposed a final rule on the issue. This decision followed a nationwide campaign, led by EPIC, to force Qwest to change its policy. EPIC wrote to Qwest President Afshin Mohebbi in early January, urging him to suspend the plan to use telephone-call records for marketing purposes. Others vociferously opposed to the company's opt-out policy included Washington State Attorney General Christine Gregoire, Minnesota Senator Paul Wellstone, and the Arizona Corporation Commissioners. Qwest is the first company in the telecom industry to announce that it will not share private customer account information until the FCC has had an opportunity to issue new rules on the process. SBC-Ameritech and Verizon -- both of which also implemented opt-out plans in the last month -- have stated no similar intention of withdrawing their information-sharing plans. The Telecommunications Act of 1996 required telecommunications companies to obtain customers' approval prior to sharing customer proprietary network information (CPNI), or data collected by telecommunications corporations about a consumer's telephone calls, with third parties. EPIC and other privacy advocates and consumer rights groups argued that "approval" implied that a consumer had to give positive, express consent to the sharing of information: that is, to "opt-in" to the marketing scheme. Telecommunications companies argued that they could start from a presumption of approval, and allow customers the choice to "opt-out" of the marketing program by explicitly withdrawing their consent. In 1998, the FCC instituted a rule requiring that customers "opt-in" to the marketing program for personal information contained in their CPNI to be shared or used for marketing purposes. U.S. West (now Qwest) challenged the FCC rule in the 10th Circuit court of appeals, which found that the FCC had failed to provide adequate evidence to establish that the rule furthered a substantial government interest, that it materially advanced such an interest, and that it was narrowly tailored to serve that interest. In October 2001, the FCC initiated a rulemaking procedure on the issue by requesting comments from all parties to create a more complete record. EPIC initiated the campaign for opt-in by filing comments and reply comments at the FCC last November. Following Qwest's implementation of an opt-out policy, the FCC announced that it would continue to accept comments from consumers wishing to express their opinion in this ongoing debate. Consumers wishing to do so can comment by e-mail at fccinfo@fcc.gov or by regular mail: FCC, 445 12th St. S.W., Washington, D.C. 20554, attn: Consumer Information Bureau. Reference Docket No. 96-115. For a history of the CPNI debate, see EPIC's CPNI page: http://www.epic.org/privacy/cpni/ ======================================================================= [2] State AGs Urged to Protect Consumers from Microsoft Passport ======================================================================= EPIC sent a letter today to state attorneys general across the nation urging them to protect citizens from the privacy and security risks of Microsoft Passport through the use of state laws against unfair and deceptive trade practices. Microsoft Passport is an online identification and authentication system that enables profiling of individuals' browsing, shopping, and content consumption behaviors. Microsoft officials have publicly stated that the company's goal is to have every Internet user in the Passport system. Through tying Passport to the Windows XP operating system, and to an ever-increasing number of web site registrations, Microsoft claims over 200 million Passport accounts. Microsoft appears to have violated state laws by failing to provide adequate notice of the privacy and security risks raised by Passport. Additionally, Microsoft likely violated state laws by representing that Passport gives users control of their data when in reality, Microsoft has control of user data. State laws often provide broader consumer protections than federal statutes. For instance, in California, the protection of privacy against government and business interests is an inalienable right that is embodied in the state Constitution. California has a public policy and mandate to protect consumers. Through interpretation of this mandate, the California Attorney General, or private persons, could initiate a lawsuit to protect consumers from Microsoft Passport. In two previous filings with the Federal Trade Commission (FTC), fifteen privacy and consumer protection organizations urged the Commission to investigate Microsoft Passport and related services. Since filing these complaints, there have been numerous security breaches in the Passport system; however, the Commission has taken no public action to investigate Microsoft. EPIC's Letter to State Attorneys General: http://www.epic.org/privacy/consumer/microsoft/stateagletter.html EPIC's "Sign Out of Passport" Page: http://www.epic.org/privacy/consumer/microsoft/ ======================================================================= [3] EPIC Files FOIA Suit for Profiling Records ======================================================================= On January 21, EPIC asked a federal court to order the disclosure of records regarding the sale of personal information to law enforcement agencies. Government access to personal data has become more controversial since September 11 as anti-terrorism investigative powers have been expanded. In a complaint filed in federal district court, EPIC charged that the Departments of Justice and Treasury have violated the law by failing to respond to a series of Freedom of Information Act (FOIA) requests that EPIC has submitted. The FOIA requests sought records relating to "transactions, communications, and contracts" between law enforcement agencies and private firms that are engaged in the sale of personal information. The information requests were submitted in response to news reports that ChoicePoint, a profiling company, routinely sells personal information to federal law enforcement agencies. The requests were filed with the Federal Bureau of Investigation, the Drug Enforcement Agency, the United States Marshals Service, the Internal Revenue Service, the Immigration and Nationalization Service, and the Bureau of Alcohol, Tobacco and Firearms. "Through the mining of public records and the purchase of credit reporting data, private sector companies are amassing troves of personal information on citizens for the government," said EPIC attorney Chris Hoofnagle, who filed the court challenge. "Serious questions exist involving citizen access to profiles, their accuracy, and the potential for misuse of personal information." Documents obtained by EPIC show that ChoicePoint and Experian, another profiling company, sold the IRS credit header data, property records, state motor vehicle records, marriage and divorce data, and international asset location data. IRS employees have access to this personal data from their desktop computers. To facilitate the IRS account and access for other law enforcement agencies, ChoicePoint has created a federal government web portal at http://www.cpgov.com/. "ChoicePoint and Experian are selling profiles on citizens with little public awareness or oversight," said Hoofnagle. "We need to ask ourselves: who is watching the watchers?" The complaint in EPIC v. Department of Justice, et al. is online at: http://www.epic.org/privacy/litigation/profilingcomplaint.html EPIC's Consumer Profiling Page: http://www.epic.org/privacy/profiling/ EPIC's Public Records Profiling Page: http://www.epic.org/privacy/publicrecords/ ======================================================================= [4] FTC Proposes Telemarketing Do-Not-Call List ======================================================================= On January 22, the Federal Trade Commission (FTC) issued a Notice of a Proposed Rulemaking to amend the Telemarketing Sales Rule (TSR). The Rule was issued in August 1995 pursuant to the Telemarketing Consumer Fraud and Abuse Prevention Act of 1994 to protect consumers from invasive and fraudulent telemarketing practices. It currently restricts telemarketing calls to between the hours of 8:00 a.m. and 9:00 p.m., requires telemarketers to identify calls as sales calls, and prohibits deceptive or false sales pitches. The proposed amendment to the rule would create a national Do-Not-Call (DNC) list for individuals who wish to avoid sales calls, prohibit the use of "pre-acquired account information" in telemarketing, and prohibit telemarketers from blocking or circumventing Caller-ID systems. Increased protection for consumers from unwanted or fraudulent telemarketing was included as a key part of the FTC's new privacy agenda, which was released by Chairman Muris on October 4, 2001 (see Alert 8.20). The move is supported by privacy and consumer advocates who point out that Congress clearly intended the creation of a national Do-Not-Call (DNC) list when it passed the Telephone Consumer Protection Act of 1991. That Act authorized the Federal Communications Commission (FCC) to issue regulations that would allow individuals to opt out of telemarketing calls in an efficient manner and without cost. Congress specifically noted that this "may require the establishment and operation of a single national database" of telephone numbers of individuals who had opted out. The FCC, however, under pressure from the Direct Marketing Association and other industry lobbyists, decided instead to implement a more limited system whereby individuals have to opt out of calls on a company-by-company basis. The FTC is encouraging the public to comment on the proposed changes. Written comments will be accepted until March 29, 2002. The FTC will then hold a public forum to discuss the issues raised during the comment period. Notice of intention to participate in this event must also be submitted before March 29, 2002. The Notice of Rulemaking is available at: http://www.ftc.gov/os/2002/01/16cfr310.pdf The current Telemarketing Sales Rule is available at: http://www.ftc.gov/bcp/telemark/rule.htm For more information on telemarketing, visit EPIC's Telemarketing Information Page: http://www.epic.org/privacy/telemarketing/ and Junkbusters' Telemarketing Information Page: http://www.junkbusters.com/telemarketing.html ======================================================================= [5] Policy Forum Debates Face Recognition Technology ======================================================================= The Cato Institute hosted a policy forum entitled "Eye in the Sky and Everywhere Else: Do Biometric Technologies Violate Our Rights?" on January 24, 2002. Forum panelists debated the role that emerging biometric technologies could play in future society. Frances Zelazny, Head of Corporate Communications at Visionics, one of the leading biometric vendors, saw face recognition technology being used for access control, surveillance, background checks, and the creation of secure IDs. Zelazny favorably cited the example of Newham, a small crime-ridden borough of London, England, where face recognition technology was used in conjunction with a saturation of surveillance cameras to reduce the crime rate. She noted that the success of the system depended on the quality of images enrolled in the database, the participation of the subjects whose images are being captured, and the threshold of acceptance for false positive and false negative matches. Visionics suggests using internal privacy guidelines that include "no match, no memory," but seeks responsible public policy to put in place oversight and audit mechanisms to control the technology. Dorothy Denning, professor of computer science at Georgetown University, reflected more broadly on the potential uses of biometric technology. She suggested that the use of this technology for authentication and anti-fraud purposes is relatively uncontroversial while its use in identification and profiling raises important public policy questions. John Woodward, Jr., Senior Policy Analyst from RAND, echoed Visionics' call for responsible use of surveillance systems. He argued that both the up-front deployment of the surveillance system and, more significantly, the back-end databases need to be strictly regulated with regards to the information they collect and link with. Pre-September 11, Woodward conceded that the key question confronting policymakers was whether face recognition technology should be deployed in public. Post-September 11, however, the question is how such technology can be used. Woodward believes that face recognition technology can be used effectively to "keep bad people away." He also argued that there is no right to privacy in the facial features one shows in public, and therefore face recognition technology does not implicate any rights violation. Marc Rotenberg, Executive Director of EPIC, took a different position on the rights violated by new surveillance technologies. He argued that these systems compel a person's identity in a public place, and that there is a long tradition in American constitutional law that protects people from such coercive action by enforcement authorities (see EPIC's amicus brief in the Watchtower Bible case). Rotenberg drew a parallel between new surveillance technology and wiretap technology in the late 1920s. While surveillance technology is still in its infancy, he argued that Congress needs to develop laws, as it did for wiretaps, to limit the indiscriminate and unregulated use of such technology. Face recognition and other biometric identification technologies are "Technologically Assisted Physical Searches" (TAPS), suggested Rotenberg, and must have similar protections and oversight mechanisms as physical searches have in the law today. American Bar Association (ABA) TAPS Guidelines: http://www.abanet.org/crimjust/standards/taps_toc.html Issue Paper: Biometrics: Facing Up to Terrorism, by John D. Woodward, Jr.: http://www.rand.org/publications/IP/IP218/ Visonics Privacy Protection Principles: http://www.faceit.com/newsroom/biometrics/privacy.html EPIC Face Recognition Page: http://www.epic.org/privacy/facerecognition/ EPIC's Watchtower Bible Amicus Brief (PDF): http://www.epic.org/anonymity/watchtower.pdf ======================================================================= [6] Eli Lilly Settles with FTC over Privacy Violation ======================================================================= On January 18, the Federal Trade Commission (FTC) announced a settlement in a case involving Eli Lilly and Company's accidental disclosure of the email addresses of 700 subscribers of a mental health information list. The FTC acted in response to a July 2001 American Civil Liberties Union (ACLU) complaint highlighting Lilly's negligence and requesting that the FTC take appropriate action. This is the first settlement of its kind resulting from negligence. J. Howard Beales, III, Director of the Bureau of Consumer Protection at the FTC, emphasized that even an unintentional release of sensitive medical information is a serious privacy breach. Further, the FTC alleged that claims of privacy and confidentiality found in Lilly's privacy policies were deceptive due to Lilly's failure to implement a system to adequately protect sensitive information. While the settlement did not involve the exchange of money, it did involve a promise on the part of Lilly to take appropriate security measures to protect consumer privacy. Under the settlement, Lilly is specifically required to designate personnel to coordinate and oversee a data protection program, identify risks to the security, confidentiality, and integrity of personal information, and to address these risks in all areas of its operations. Lilly must also conduct an annual written review to monitor compliance with the program, evaluate its effectiveness, and recommend any necessary changes. In response to the settlement, FTC Commissioner Orson Swindle stated that "Lilly's responsiveness and its efforts to improve corporate privacy practices can be a model for others to follow." The FTC voted 5-0 to accept the proposed settlement, and an announcement will soon be published in the Federal Register regarding the proposed consent agreement. The agreement will then be subject to public comment, after which the Commission will decide whether to make it final. The FTC's press release outlining the settlement is available at: http://www.ftc.gov/opa/2002/01/elililly.htm The July 2001 ACLU complaint is available at: http://www.aclu.org/news/2001/n070501b.html ======================================================================= [7] EPIC Bookstore - Privacy and the Information Age ======================================================================= Privacy and the Information Age, by Serge Gutwirth, for the Rathenau Institute. Translated by Raf Casert. http://www.epic.org/bookstore/features/redirect.html Privacy and the Information Age is an English translation, new for 2002, of Serge Gutwirth's 1998 "Privacyvrijheid." In this book, Gutwirth illustrates his thesis that privacy involves much more than just the protection of personal data; it is the fundamental safeguarding of an individual's freedom to decide whether he/she would like that data to be known or shared. Drawing on many international sources, Gutwirth examines challenges to privacy posed by new technologies, ultimately arguing that privacy is central to personal freedom, and that personal freedom is central to democracy. ================================ EPIC Publications: "Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= ** POSTPONED! ** First Privacy Expo 2001. Privacy & American Business and Privacy Council. Was November 27-29, 2001; will be rescheduled for February or March 2002. Washington, DC. For more information: info@pandab.org ** POSTPONED! ** Eighth Annual National "Managing the NEW Privacy Revolution" Conference. Privacy & American Business and Privacy Council. Was November 28-29, 2001; will be rescheduled for February or March 2002. Washington, DC. For more information: info@pandab.org Second Annual Privacy and Data Security Summit. Privacy Officers Association. January 30-February 1, 2002. Washington, DC. For more information: http://www.privacyassociation.org/html/conferences.html The Biometric Consortium Conference. February 13-15, 2002 (rescheduled from September 12-14, 2001). Arlington, VA. For more information: http://www.nist.gov/bcfeb02/ Congressional Briefing on Cybersecurity. Forum on Technology & Innovation. February 14, 2002. Washington, DC. For more information: http://www.tech-forum.org/ CLA 6th Annual Cyberspace Camp Conference. Computer Law Association. February 14-16. San Jose, CA. For more information: http://www.cla.org/cal_camp.htm Moving to the Forefront of Privacy Management for Bank & Financial Services Executives. World Research Group. February 26-28, 2002. New Orleans, LA. For more information: http://www.worldrg.com/ 2nd Annual BNA Summit: Combatting Cyber Attacks on your Corporate Data. Bureau of National Affairs. February 27-28, 2002. Washington, DC. For more information: http://cybersecurity.pf.com/ Understanding Privacy: New Laws, New Challenges. BC Freedom of Information and Privacy Association (FIPA). March 11-12, 2002. Vancouver, British Columbia, Canada. For more information: http://ellisriley.on.ca/fipa/ HIPAA Summit West II: The Leading Forum on Healthcare Privacy, Confidentiality, Data Security, and HIPAA Compliance. March 13-15, 2002. San Francisco, CA. For more information: http://www.hipaasummit.com/ Fourth Annual e-ProtectIT Infrastructure Security Conference. Norwich University. March 20-22, 2002. Northfield, Vermont. For more information: http://www.e-protectIT.org/ International Symposium on Freedom of Information and Privacy. Office of the New Zealand Privacy Commissioner. March 28, 2002. Auckland, New Zealand. For more information: Blair.Stewart@privacy.org.nz Workshop on Privacy Enhancing Technologies. April 14-15, 2002. San Francisco, CA. For more information: http://www.pet2002.org/ CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy. April 16-19, 2002. San Francisco, CA. For more information: http://www.cfp2002.org/ 2002 IEEE Symposium on Security and Privacy. IEEE and the International Association for Cryptologic Research. May 12-15, 2002. Oakland, CA. For more information: http://www.ieee-security.org/TC/SP02/sp02index.html INET 2002. Internet Society. June 18-21, 2002. Washington, DC. For more information: http://www.isoc.org/inet2002/ ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.02 ----------------------- .