======================================================================= E P I C A l e r t ======================================================================= Year in Review January 11, 2005 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_yir2004.html ====================================================================== 2 0 0 4 P R I V A C Y Y E A R I N R E V I E W ====================================================================== Privacy debates continued in the United States in 2004 as proposals for passenger profiling and new identity cards provoked public protest and legislation. Google announced a new email service that offered lots of free storage while also peeking at the users' private messages. ID theft continued to be a national problem. And some states, most notably California, adopted new laws to safeguard personal privacy. Here are the Top Ten Privacy Stories of 2004 from the Electronic Privacy Information Center (EPIC): * * * * * * * * * * * * * * * * * * * * * * * * Foreign Opposition to USA PATRIOT Act The USA PATRIOT Act, which gave government new authority to collect information about American citizens and visitors to the United States, came under increasing criticism from foreign governments in 2004. Latin American countries objected to sending census data and voter records to U.S. law enforcement agencies. Canadian officials warned that the Patriot Act would violate Canadian law. * * * * * * * * * * * * * * * * * * * * * * * * Google Datamines Private Email Apparently, there is a shortage of advertising on the Internet. At least that must be part of the thinking behind Google's Gmail. The new email service links keywords in private messages with web-based advertising. Messages to business colleagues, family members, and loved ones now produce discount travel offers and 10% off restaurant deals. Question to Google CEO Eric Schmidt: do we get to read your email? * * * * * * * * * * * * * * * * * * * * * * * * Expansion of US-VISIT US-VISIT, an entry-exit border control system, launched in 2004. Europeans bristled when fingerprinted at U.S. airports. In Brazil a judge retaliated. He okayed the fingerprinting of U.S. tourists, citing the U.S. government's treatment of visitors. US-VISIT expanded rapidly following the award of a $15 billion contract to Accenture, a Bermuda-based corporation that entered the U.S. to take the money and then exited the country to avoid the corporate taxes. How about better border control for corporate outsourcing? * * * * * * * * * * * * * * * * * * * * * * * * Death of Airline Passenger Profiling . . . Maybe At a press conference in Washington, DC earlier in the year, Secretary of Homeland Security Tom Ridge raised his hand as if to put a wooden stake through the heart of "CAPPS II," the much-criticized passenger profiling system. An independent government review decided that assigning a "terrorist threat index" was not a great idea. Congress and civil liberties groups slammed the program. The funding was pulled. However, by year-end, a new passenger-screening program called Secure Flight was moving forward. Next time, use garlic. * * * * * * * * * * * * * * * * * * * * * * * * U.S. Medical Records Go Overseas Offshore outsourcing dramatically increases privacy risks, said a government report in 2004. So U.S. accountants proposed corporate disclosure of outsourcing practices. California passed a law to notify consumers when their personal information went abroad. But elsewhere, countries expressed concern about privacy protections in the United States. Canada pulled out of a contract with a U.S. company that would have provided services for the 2006 Canadian census. * * * * * * * * * * * * * * * * * * * * * * * * Data Disclosures -- Mission Creep Continues The IRS reported that it made 3.7 billion disclosures of tax return information in 2003 for tax and non-tax law enforcement and statistical purposes. Meanwhile, the Pentagon proposed to use tax returns to find "out-of-touch" reservists. The General Accounting Office and the Technology and Privacy Advisory Committee issued reports on government data mining and sharing of public and private sector personal information data. The Census Bureau revised its information sharing policy when it came to light that it has provided information to Homeland Security on persons identifying themselves as being of Arab ancestry. * * * * * * * * * * * * * * * * * * * * * * * * States Pull Out of Mini-Total Information Awareness Project Of the thirteen states originally agreeing to participate in the Multistate Anti-Terrorism Information Exchange (MATRIX), only five remain. The program was an effort to establish a state-level data mining project similar to the Total Information Awareness project killed by Congress in 2003. State governors and attorneys cited their own states' privacy laws. * * * * * * * * * * * * * * * * * * * * * * * * ID Theft a Growing Problem; Laws Stiffen Penalties ID theft was the number one consumer complaint received by the Federal Trade Commission in 2004. In response, Congress enacted laws to provide stronger penalties for ID theft and "phishing," the use of fake email addresses to lure sensitive personal information such as credit card numbers from people. * * * * * * * * * * * * * * * * * * * * * * * * Prevent More Stringent ID Requirements for Voters The Help America Vote Act placed greater identification requirements on voters registering for the first time. This meant an excessive burden was placed on those who wished to vote, but did not drive or have a need for a state-issued identification card. However, charges of voter fraud during the 2004 election season persisted, which may spur Congress and state legislatures to make greater identification demands on current and newly registered voters as well as anyone attempting to vote. * * * * * * * * * * * * * * * * * * * * * * * * California Continues Privacy Reforms While lawmakers in Washington dined with lobbyists, legislators in Sacramento were enacting some of the best new privacy laws in the United States. Among the new safeguards from the country's leading privacy state -- laws that limit electronic surveillance in rental cars, controls on the Social Security Number, a crackdown on spam and spyware, and new protections for wireless phone numbers. ====================================================================== ISSUES TO WATCH IN 2005 ====================================================================== The USA PATRIOT Act is up for renewal, state drivers licenses may become national identity cards, big companies will go after privacy laws, and new tags in your food may be telling your refrigerator when you need to buy more OJ. George Orwell may have been off by a few years, but privacy and technology are prepared to do battle again as a new year unfolds. * * * * * * * * * * * * * * * * * * * * * * * * National ID The queen of England has proposed that her subjects need a biometric identifier, but the rest of the world is not so certain. The United States took a half step toward national ID with federal mandates for the states' drivers licenses, but stopped short of a full-blown domestic passport. Expect a debate focused on the links between an upgraded state drivers licenses and federal agency databases. * * * * * * * * * * * * * * * * * * * * * * * * USA PATRIOT Act Renewal The USA PATRIOT Act passed not long after the Senate was evacuated because of anthrax. Now it's 2005 and Congress will need to decide whether the Constitutional rollback will be permanent. At issue are the electronic surveillance provisions that minimized the role of the courts and gave the Attorney General broad new powers. Note to Congress: real patriots defend the Constitution. And question to the FBI: who was responsible for the anthrax? * * * * * * * * * * * * * * * * * * * * * * * * Telemarketers Attack Privacy Rules The telemarketers are gearing up in 2005 to go after the most popular privacy rules in the Unites States. The federal Do Not Call list now includes more than 80 million subscribers who have just said no to telemarketing calls at dinnertime. But the direct marketers have a new strategy to open up loopholes in the rules and resume the calls. Also, watch the opt-in privacy safeguards for the wireless phone directories collapse unless Congress passes legislation. "Can you hear me now?" "Yes, and please take me off your list." * * * * * * * * * * * * * * * * * * * * * * * * Google Tracks Reading? The Net's number one search engine (and number one advertiser) is now planning to convert many of the nation's libraries into digital format. A tremendous boon for the public domain, but the cost may be the loss of reader privacy. Remember to delete those Google cookies. * * * * * * * * * * * * * * * * * * * * * * * * Is it a Phone? Is it the Internet? It's VOIP! Internet-based telephone service -- "VOIP" as the geeks and the policy wonks say -- was expected to reach one million users by the end of 2004. But is VOIP a telecommunications service or an information service? There are high stakes for privacy protection. Will the Do Not Call Registry apply to it? Will providers be required to help law enforcement access it? And will we be able to prevent "spit" -- the new term for unsolicited commercial messages delivered to VOIP users? Stay tuned! * * * * * * * * * * * * * * * * * * * * * * * * Smart Barcodes, RFID, and Products that Spy Now that the next-generation standard for RFIDs has been agreed to and adopted, we'll see an expansion of RFID products developed for the market and more organizations beginning to switch to RFID tracking systems for their own convenience. It will be necessary to develop guidelines outlining the duties of RFID-using organizations and setting out the rights of individuals who are exposed to RFID-enabled products. Must wonder if such guidelines are needed to address RFIDs in biometric passports approved by the International Civil Aviation Organization . . . * * * * * * * * * * * * * * * * * * * * * * * * Internet Privacy Expect a continuing state of flux when it comes to Internet communications and your privacy. With spyware legislation, the ongoing battles against spam, and the development of "spit," questions about VOIP regulation and the application of law, not to mention the upcoming decision in United States v. Councilman expected in spring 2005, the boundaries keep shifting. * * * * * * * * * * * * * * * * * * * * * * * * Outsourcing: Frying Pan or Fire? Outsourcing continues to be an issue on both the domestic and international front. Americans continue to be concerned about privacy and security of offshore/outsourced data processing, tax return preparation and call centers. Meanwhile, Canada and other countries are reviewing their own outsourcing to the U.S. after concerns were raised about the capacity of U.S. authorities to access such records. It is ironic to recollect that one of the motivating factors of data protection schemes was concern about facilitating international relationships -- will the USA PATRIOT Act and its consequences put an end to such profitable relations? * * * * * * * * * * * * * * * * * * * * * * * * Centralized Voter Registration Databases The Help America Vote Act requires that all states develop and implement centralized voter registration databases by 2006. The lack of technical expertise on the part of state election administrators may leave the centralization of voter registration lists to private contractors or very insecure systems with poor administration. Either case will make it difficult to ensure that personally identifiable information of registered voters will be protected from misuse or abuse. Expect Congress to take a closer look at the privacy standards for voter registration records. * * * * * * * * * * * * * * * * * * * * * * * * WHOIS Directory WHOIS, the online database of the millions of people who registered web sites, still lacks basic privacy safeguards. After years of review, the Internet Corporation for Assigned Names and Numbers (ICANN), the folks who demand the data, should make 2005 the year it finally establishes safeguards. Note to ICANN: self-regulation does not mean no regulation. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, visit http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------ End EPIC 2004 Year in Review ------------------ .