EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.14                                      July 25, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents

[1] FCC Declines to Address Location Privacy Issues
[2] White House Unveils Homeland Security Strategy
[3] EPIC Files Brief in Wrongful Invasion of Privacy Suit
[4] Federal Appeals Court Affirms FTC Privacy Order
[5] FCC Adopts Modified Opt-In Plan for Customer Information
[6] EPIC Critiques Digital Rights Management Systems
[7] EPIC Bookstore - Ruling the Root
[8] Upcoming Conferences and Events

[1] FCC Declines to Address Location Privacy Issues

The Federal Communications Commission has decided not to develop rules
governing the collection and use of location data generated by
wireless communications systems.  In an order released on July 24, the
Commission said that a federal statute enacted in 1999 "imposes clear
legal obligations and protections for consumers," and that "the better
course is to vigorously enforce the law as written, without further
clarification of the statutory provisions by rule."  The FCC order
rejected a petition filed by the Cellular Telecommunications and
Internet Association (CTIA) which requested a rulemaking process to
develop uniform standards to implement the privacy provisions of the
Wireless Communications and Public Safety Act (WCPSA), which requires
"express prior authorization" by a consumer to approve "the use or
disclosure" of his or her "call location information."

EPIC supported the CTIA petition, and urged the FCC to establish
comprehensive, technologically neutral privacy protections that would
enable consumers to maintain meaningful control over the collection
and use of location data.  The Commission concluded that the privacy
provision contained in the WCPSA is adequate to protect consumers,
without any clarifying rules:

     We find [the WCPSA's] requirement of "express prior
     authorization" leaves no doubt that a customer must
     explicitly articulate approval before a carrier can use
     that customer's location information.  Thus, no rules are
     necessary because the statutory language is unambiguous,
     imposing clear legal obligations and protections for
     consumers.  . . . We are prepared to vigorously enforce
     the law as written, while monitoring whether further
     Commission action is necessary.  We believe handling the
     information in accordance with the statute provides
     adequate consumer protection against intrusion of
     consumers' privacy.

Commissioner Michael Copps dissented from the FCC decision, citing
EPIC's comments which noted that Commission rules are needed because
the statute's meaning apparently is subject to varying interpretations
within the wireless industry.  Commissioner Copps wrote that "Congress
did not define 'location information,' and without Commission action,
consumers and carriers will not know what is contained in this opaque
term until the question is subject to court action that follows a
potential privacy violation."

The FCC Order is available at:


EPIC's initial comments and reply comments are available at:



[2] White House Unveils Homeland Security Strategy

President Bush released the long-awaited "National Strategy for
Homeland Security" on July 16.  The document seeks to provide an
organizing framework for homeland security initiatives.  One of its
key proposals is the establishment of a new Department of Homeland
Security, which is currently being considered by Congress (the bill
has been reported out of the House Select Committee and debate on the
House floor is scheduled to begin today).  The legislation contains
several amendments that would beneficial for privacy, including
establishing a Chief Privacy Officer in the new department and
explicitly preventing the development of a national ID card.  The new
Department, if created, will fold several federal agencies into one
organizational structure in an effort to better coordinate functions.
The National Strategy calls for increased information sharing among
government agencies and with the private sector.  EPIC and other open
government advocates have testified that greater transparency and
means of public accountability must balance any increased and
concentrated government powers (see EPIC Alert 9.13).

Also among the proposals contained in the "National Strategy" are
several measures that implicate privacy interests.  The Strategy calls
on states to lead the effort to create minimum standards for driver's
licenses.  Such a plan, while vague, appears to reject proposals by
the American Association of Motor Vehicle Administrations (AAMVA),
Sen. Richard Durbin (D-IL), and Reps. Tom Davis (R-VA) and James Moran
(D-VA), that would rely on the federal government to mandate uniform
standards for state driver's licenses.  EPIC's report, "Your Papers
Please," shows how a uniform driver's license regime could create a
nationwide system of identification.  The National Research Council's
report, "IDs - Not That Easy: Questions About Nationwide Identity
Systems," urges the government to proceed cautiously in this area
because of the profound issues such an identification system would
raise for the character of American society.

In other proposals, however, the Bush administration's apparent
opposition to ID schemes is notably absent.  The Strategy calls for
developing biometric technology, which purportedly "shows great
promise."  In an example cited in the document for a potential
application of biometrics -- preventing a terrorist from using false
documents and a disguise to elude airport security -- the White House
appears to be contemplating placing a biometric identifier on all
airline passengers' identification documents, including American
citizens.  All travel documents issued to aliens will incorporate
biometric identifiers by October 26, 2004, as per the Enhanced Border
Security and Visa Entry Reform Act of 2002.  Steve Cooper, the Chief
Information Officer of the Office of Homeland Security, is reported to
believe that devising better ways to accurately identify individuals
is a key part of the Bush administration's homeland security strategy,
although he claims that such systems will not be allowed to undercut
civil liberties.  EPIC recently submitted a statement to the Senate on
the unreliability of current biometric technology for large-scale
identification applications.  The statement also argues that biometric
databases are subject to new forms of abuse, which may be more
difficult to correct and could pose significant consequences for
individuals whose biometric identifier is compromised.

In another section that implicates privacy, the Strategy flags the
development of systems to detect "hostile intent" as a high priority.
The document states that "the Department of Homeland Security would
work with private and public entities to develop a variety of systems
that highlight such behavior and can trigger further investigation and
analysis of suspected individuals."  EPIC is currently pursuing a
lawsuit against the Transportation Security Administration seeking
information about the development of CAPPS-II system for aviation
security, which would use such a system (see EPIC Alert 9.05).  The
administration has been reluctant to share details about how such
systems would be conceived and operated.

The "National Strategy For Homeland Security" is available at:


EPIC's Statement on Biometrics and Identity Theft:


EPIC's National ID Card page:


[3] EPIC Files Brief in Wrongful Invasion of Privacy Suit

EPIC has filed an amicus brief in a case brought by the estate of Amy
Boyer, a woman stalked and killed by a man who obtained information
about her through an online information brokerage/"pretexting" agency.
The brief argues that private investigators and information brokers
should be liable for wrongful privacy invasions of third parties about
whom they are collecting and disseminating information.  The case
arose after Amy Boyer was stalked and killed by a man who obtained
information about her through Docusearch, an information brokerage run
by private investigators.  Docusearch used pretexting to obtain
information about Ms. Boyer, including her address, which was
subsequently used by its client to track and kill her.

Liam Youens contacted Docusearch to obtain the date of birth of Amy
Lynn Boyer, a young woman with whom Youens had been obsessed since the
two attended high school together.  Youens later contacted Docusearch
to request Boyer's Social Security number (SSN) and employment
information.  Docusearch was unable to provide Boyer's date of birth,
but obtained her SSN from a credit reporting agency as part of a
credit header and provided it to Youens for $45.  Docusearch obtained
Boyer's work address by having a subcontractor, Michelle Gambino,
place a "pretext" call to Boyer.  Gambino pretended to be affiliated
with Boyer's insurance company, and requested "verification" of
Boyer's work address in order to facilitate an overpayment refund.
Docusearch charged Youens $109 for this information.  Then, on October
15, 1999, Youens drove to Boyer's workplace and fatally shot her as
she left work.  He then committed suicide.  A subsequent police
investigation revealed that Youens kept firearms and ammunition in his
bedroom, and maintained a Web site containing references to stalking
and killing Boyer, as well as detailing plans to murder her entire

Amy Boyer's mother sued Docusearch and the individual private
investigators that worked with Youens for several claims, including
wrongful death and invasion of privacy.  EPIC submitted an amicus
brief arguing that Docusearch should be liable under all claims.

EPIC's Amicus Brief is available at:


EPIC has created a Web page with information about the Amy Boyer case:


[4] Federal Appeals Court Affirms FTC Privacy Order

A federal appeals court on July 17 upheld a decision by a lower court
that limited the secondary use of individuals' financial information
and established that credit reporting agencies are "financial
institutions" that must abide by federal financial privacy
regulations.  The U.S. Court of Appeals for the D.C. Circuit rejected
a challenge by Trans Union, a credit reporting agency, to privacy
regulations promulgated by the Federal Trade Commission pursuant to
the Gramm-Leach-Bliley Act (GLBA).  Trans Union had claimed that as a
credit reporting agency, it was not subject to the FTC's rulemaking
authority under the GLBA; that the regulations' definition of
personally identifiable information was overbroad; that the
regulations' restrictions on third-party reuse were inconsistent with
the GLBA; and that the regulations infringed on Trans Union's First
Amendment free-speech rights.  The GLBA was enacted in 1999 to
restructure the financial services industry by eliminating legal
barriers to affiliations among financial services providers while also
giving consumers more control over their personally identifiable
financial information.

In addition to holding that credit reporting agencies are subject to
the GLBA's privacy regulations, the decision in Trans Union v. Federal
Trade Commission sustains the FTC's finding that names, addresses,
telephone and social security numbers are considered nonpublic
personal information under the GLBA and that financial institutions
wishing to disclose such information to a third party must provide
consumers with notice of the institution's disclosure policy and an
opportunity to opt out of disclosure.  The court's decision also
upholds FTC regulations prohibiting third parties, including credit
reporting agencies, from reusing any personal information they may
receive from other institutions.  For example, credit reporting
agencies that receive personally identifiable financial information
from another financial institution for credit verification purposes
may not reuse that information for marketing purposes.

The court also rejected Trans Union's contention that the regulations'
restrictions on disclosure and reuse of nonpublic personal information
violated its free speech rights by preventing it from disseminating
truthful, nonpersonal information, saying that such speech does not
relate to a matter of public concern and therefore is entitled to
reduced constitutional protection.  The court held that there is a
"substantial" governmental interest in protecting the privacy of
consumer credit information, and found the FTC regulations to be
narrowly tailored to achieve that interest.  The court rejected Trans
Union's argument that the FTC could have restricted less speech by
creating an additional notice and opt-out mechanism for third parties.

"There is no reason to believe a consumer would be more eager to
relinquish his privacy right to a [credit reporting agency] that
subsequently obtains his [nonpublic personal information] than he was
to the financial institution with which he initially dealt," Judge
Karen Henderson wrote.

Trans Union L.L.C. v. Fed. Trade Comm'n, No. 01-5202, 2002 U.S. App.
LEXIS 14321 (D.C. Cir. July 16, 2002):


[5] FCC Adopts Modified Opt-In Plan for Customer Information

The Federal Communications Commission adopted rules last week designed
to protect sensitive personal information of customers of
telecommunications carriers.  The Order provides for opt-in customer
approval for carriers' release of customer information to third
parties, but permits opt-out consent for release of information to
affiliated parties.  The Order specifically states that the Commission
will not block or preempt state efforts to regulate CPNI.

The regulations relate to "customer proprietary network information,"
which is protected from use absent "customer approval" by the 1996
Communications Act.  The FCC promulgated a rule in 1998 that required
telecommunication carriers to obtain explicit customer approval
(opt-in) before using such information in any manner inconsistent with
provision of services.  The FCC explicitly rejected an opt-out
approach as insufficiently protective of customer privacy.  However,
in 1999 the U.S. Court of Appeals for the 10th Circuit ruled that the
opt-in approach did not pass First Amendment scrutiny because the
decision to require "opt-in" was not adequately considered or
supported by existing facts.

In a statement issued with last week's regulations, Commissioner Copps
criticized the Commission's failure to adopt a total opt-in approach,
stating that the Order "does not preclude companies in all instances
from selling to the highest bidder personal and detailed information
about who Americans call, when they call, and how long they talk, as
long as these companies use it for some 'communications related'
purpose and have some undefined and murky affiliation, agency
relationship, or partnership with the phone company."  Both Chairman
Powell and Commissioner Martin indicated that the FCC would revisit
the issue "if evidence in the marketplace indicates that these rules
are insufficient to protect the consumers' right to safeguard their
personal information."

Commissioners' statements and the FCC press release are posted on the
FCC website:


EPIC's CPNI page:


[6] EPIC Critiques Digital Rights Management Systems

EPIC recently submitted public comments in response to a recent
Department of Commerce workshop on the current state of technical
standards for digital rights management (DRM).  The comments discussed
the potential harms of DRM on consumer and societal rights.  Panelists
from the Recording Industry Association of America, the Motion Picture
Association of America, Disney, two record companies, Microsoft, and
AOL Time Warner were in attendance at the workshop. However, only one
panelist represented consumers, although the audience -- which was not
allowed to address the roundtable -- was largely composed of public
interest advocates.

The Department invited written submissions on four topics: the
effectiveness of DRM technologies to provide a more predictable and
secure environment for copyrighted material, major obstacles facing an
open commercial exchange of digital content, what a future framework
for success might entail, and current consumer attitudes towards
online entertainment.  EPIC responded to these questions by arguing
that existing DRM technologies, designed to increase predictability
and security, invariably do so at the expense of consumers' rights to
privacy, freedom of expression, and "fair use," as well as the general
promotion of science and the useful arts.  Far from creating positive
conditions for commerce, EPIC argued that DRM subsidizes inefficient
channels of content delivery in the face of more efficient and more
equitable systems of distribution.

EPIC's Comments on DRM are available at:


EPIC's DRM Web Page:


[7] EPIC Bookstore - Ruling the Root

Milton L. Mueller, "Ruling the Root" (MIT Press 2002)


Ten years ago 1,500 people gathered in Kobe, Japan for the first
annual meeting of the Internet Society.  The mood was upbeat and the
program fast-paced.  Panels and workshops explored net access in the
developing world, new network applications and technologies, and
multi-media techniques.  A track on policy examined privacy, security,
appropriate use and globalization, but the focus at the conference was
clearly the protocols, not the policies.  Lawyers were the exception.
There was no Mosaic, let alone Netscape.  "Governance" was not yet on
the agenda.

Fast forward to the present.  The recent meetings of ICANN, the entity
created by the Department of Commerce to manage the central root
server, have been nothing short of rancorous.  An experiment in
Internet self-governance has mutated into an exercise in secret
policies, outraged critics, and increasing failures to make real
public participation.

What has happened in the past decade that has turned Internet policy
into such unpleasant business?  A good answer to this question will be
found in Milton Mueller's Ruling the Root (MIT Press 2002).

Mueller traces the early days of root management, associated with the
benevolent rule of Jon Postel, through the efforts of Ira Magaziner
and the Department of Commerce to create a non-profit corporation that
would "reflect the will of the Internet community," on to the present
day struggles where the struggles over public participation,
legitimacy, and scope threaten to pull the plug on ICANN.

His interest is in understanding how the management of the root, which
perhaps was too easily called "governance," became institutionalized.
His conclusion is simple: instead of a decentralized form of
governance, root management came to resemble radio frequency
allocation where a scarce resource (or a perhaps more precisely, a
resource made scarce) could be used to leverage other policy goals. 
Or to push the Internet back into one of the boxes of Ithiel Pool's
famous taxonomy of communications technologies, management of the root
was treated as broadcast regulation rather than print publication. 
Not surprisingly, a battle over the allocation of newly minted
property rights followed.

Mueller's writing is clear and the coverage of the topic extensive,
though some may find the discussion slow-going.  This is not Katie
Hafner writing about the creation of the Internet or Steven Levy on
the birth of the hacker culture.  But this is a careful and serious
exploration of a topic in desperate need of such treatment.  Mueller
propose several theoretic models to explain such topics in Internet
development as resource allocation and the formation of property
rights, though Mueller's well chosen analogies may actually do more to
help clarify some of the current policy challenges.  Consider, for
example, why there is little public debate over Ethernet addresses
(they are simply numbers, not names) or what the consequences might be
of adopting a controlled vocabulary for network identities (card
catalogs are too formal).  As professor Michael Froomkin elsewhere
observed, the "metaphor is the key" in many of the critical technology
policy debates.

Mueller touches briefly on some of the privacy problems that follow
from the current administration of the Internet.  The WHOIS database,
originally intended to allow network administrators to find and fix
problems with minimal hassle, now offers one-stop shopping for
spammers, criminal investigators, and copyright enforcers.  That WHOIS
data might be used for such purposes is probably unavoidable, but
whether WHOIS should be designed to facilitate such use is a topic
that deserves more debate.

Some of the conflicts in the growth of the Internet could be
anticipated.  The use of names rather than numbers to identify
computers connected to the Internet created genuine concerns for both
trademark maximalists and trademark minimalists.  But it also created
value and to go back to a system of numbers at this point, as some
have urged, would still be a net loss.

Mueller himself seems to oscillate between skeptic and idealist as he
offers his own assessment of the prospects for Internet governance. 
At times he appears critical of those, such as Internet law expert
David Johnson and cyberprof David Post, who believed that a new form
of government for the Internet was not only possible but necessary. 
At other times, he chastises those trademark lawyers who vigorously
protected their clients interests in the .com domain asking why this
was necessary when the Internet made possible a much broader domain
space.  Well, yes, that would be true if the address space did indeed
expand, but scarcity is the current reality.

Mueller offers a clear warning that the institutionalization of the
root threatens to diminish the openness and decentralization of the
Internet.  But maybe there is another warning as well.  Perhaps
governance should be left to governments.  At least governments that
create the opportunity to vote have found it very difficult to later
retract the right.

- Marc Rotenberg

EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26,
2002. San Diego, CA. For more information:

Cyberwar, Netwar and the Revolution in Military Affairs: Real Threats
and Virtual Myths. International School on Disarmament and Research on
Conflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For more
information: http://www.isodarco.it/html/trento02.html

Emerging High Technology Legal Issues. University of Washington School
of Law, Washington Law School Foundation, and Shidler Center for Law
Commerce and Technology. August 5-7, 2002. Seattle, WA. For more
information: http://www.law.washington.edu/lct/

IT and Law. University of Geneva, University of Bern, Swiss
Association of IT and Law. September 9-10, 2002. Geneva, Switzerland.
For more information: http://www.informatiquejuridique.ch/

ILPF Conference 2002: Security v. Privacy. Internet Law & Policy
Forum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002: Information, Security & New Global Realities. Technology
Policy Group. September 24-26, 2002. Cleveland, OH. For more
information: http://www.privacy2000.org/privacy2002/

Bridging the Digital Divide: Challenge and Opportunities. 3rd World
Summit on Internet and Multimedia. October 8-11, 2002. Montreux,
Switzerland. For more information: http://www.internetworldsummit.org/

2002 WSEAS International Conference on Information Security (ICIS
'02). World Scientific and Engineering Academy and Society. October
14-17, 2002. Rio de Janeiro, Brazil. For more information:

IAPO Privacy & Security Conference. International Association of
Privacy Officers. October 16-18, 2002. Chicago, IL. For more
information: http://www.privacyassociation.org/html/conferences.html

3rd Annual Privacy and Security Workshop: Privacy & Security: Totally
Committed. Centre for Applied Cryptographic Research, University of
Waterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For more
information: http://www.epic.org/redirect/cacr.html

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November
10-13, 2002. Waikiki, HI. For more information:

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more
information: http://www.inter-disciplinary.net/tpcs1.htm

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied Computer
Security Associates. December 9-13, 2002. Las Vegas, NV. For more
information: http://www.acsac.org/

Third Annual Privacy Summit. International Association of Privacy
Officers. February 26-28, 2003. Washington, DC. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp.org/

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.14 -----------------------