======================================================================= E P I C A l e r t ======================================================================= Year in Review January 4, 2007 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_yir2006.html ====================================================================== 2 0 0 6 P R I V A C Y Y E A R I N R E V I E W ====================================================================== Congress returns to Washington this week and privacy issues are likely to get renewed attention with unresolved questions about the President's domestic surveillance program, the future of Real ID, and the growth of the data broker industry. Meanwhile courts will consider sex bloggers and the media will try to sort through the increasingly complicated world of surveillance technology. Here are the Top Ten Privacy Stories of 2006 and Ten Privacy Issues to Watch in 2007 from the Electronic Privacy Information Center (EPIC): * * * * * * * * * * * * * * * * * * * * * * * * Millions of Military Records Go Missing In 2006, a stolen laptop with the records of 27 million American veterans and active duty military personnel gripped the nation and produced Congressional hearings, new legislation, and new policies for government employees who take their work home with them. Veterans Affairs Secretary Jim Nicholson tried to explain to Congress why it took almost two weeks before he was notified about the missing data which included information on 1.1 million active service members, 430,000 National Guardsmen, 645,000 Reserve members and the names, birth dates and Social Security numbers of about 26 million people, most of them veterans. * * * * * * * * * * * * * * * * * * * * * * * * Identity Theft Keeps Top Spot The Federal Trade Commission once again found identity theft leading the list of the Top 10 consumer complaints, accounting for 255,000 of the 686,000 complaints filed with the agency. That is the sixth year in a row that identity theft topped the list. The FTC also found an increase in child ID theft, wire transfer payment fraud, and that Internet-related complaints accounted for 46 percent of all fraud complaints. * * * * * * * * * * * * * * * * * * * * * * * * NSA Domestic Spying Last year, news reports revealed that President Bush secretly issued an executive order in 2002 authorizing the National Security Agency to conduct warrantless surveillance of international telephone and Internet communications on American soil. In May, USA Today reported that US telephone companies turned over records on millions of American citizens to the government without any judicial oversight. Then in August a federal judge ruled that the government's warrantless wiretapping program is unconstitutional. Judge Anna Diggs Taylor said the program violates the rights to free speech and privacy as well as separation of powers. Recent release of Pentagon documents shows that counterterrorism resources were used to monitor American peace groups opposed to the war in Iraq and military recruitment. * * * * * * * * * * * * * * * * * * * * * * * * H-P Spy Scandal We hate to admit it, but the Hewlett-Packard spy scandal was one of the top privacy stories of the year. Who would have imagined that the directors of Silicon Valley's high-tech icon would send private investigators to dig into the telephone records of board members and journalists? Still, we wonder if government agents sifting through the phone records of millions of American citizens without judicial oversight would have provided a better reason to hold primetime Congressional hearings. * * * * * * * * * * * * * * * * * * * * * * * * Choicepoint Gets Privacy Religion In 2005 the data broker and former recipient of a Big Brother Award was caught selling personal information about 185,000 American consumers to a criminal ring engaged in identity theft. In 2006, the company was hit with a $15 million fine, the largest penalty in Federal Trade Commission history. Then Choicepoint went on a privacy campaign, providing consumers with rights to access certain records and cutting back on some of its more egregious business practices. * * * * * * * * * * * * * * * * * * * * * * * * Passenger Profiling and Terrorist Scoring Congress suspended the Secure Flight program after significant privacy and security risks were uncovered. Meanwhile, the Department of Homeland Security revealed that a "risk assessment" program, which is essentially a terrorist risk rating, was expanded from screening shipping cargo to scrutinizing travelers. The Automated Targeting System mines a vast amount of data to create a "risk assessment" on hundreds of millions of people per year, a label that will follow them for the rest of their lives, as the data will be retained for 40 years. According to a report by the Government Accountability Office more than 30,000 travelers have already been mistakenly linked to names on terror watch lists when they crossed the border, boarded commercial airliners or were stopped for traffic violations. * * * * * * * * * * * * * * * * * * * * * * * * Digital Strip Searches Sky Harbor International Airport located in Phoenix is slated to be the first US airport to field test a new "backscatter X-ray" system. The screening machines, which were supposed to be operational by mid-December, have already been plagued with technical difficulties that have delayed the testing period until sometime in 2007. The backscatter machines produce photo-quality images of metal, plastic and organic materials underneath clothes by using low-radiation X-rays, which reveal not only prohibited items but also medical details such as prosthetic devices and old injuries. The fact that the machines are designed to record and store images has largely escaped notice by the mainstream media. * * * * * * * * * * * * * * * * * * * * * * * * Europeans Battle US Over Privacy Tension over data sharing between Europe and the US was highlighted in disputes over the transfer of European financial records and European travel records to the US government. European privacy officials concluded that SWIFT violated data protection laws when it secretly transferred records of millions of private financial transactions to American intelligence agencies. The European Court of Justice struck down the passenger name record deal that allowed the transfer of personal information on European travelers to the US government. * * * * * * * * * * * * * * * * * * * * * * * * Congress Passes Phone Pretexting Bill Last summer, Hewlett-Packard's use of pretextng to investigate directors and journalists sparked renewed Congressional interest in the technique to obtain personal information by fraudulent means. So Congress passed the Law Enforcement and Phone Privacy Protection Act, which creates federal criminal penalties for pretexters who access telephone records - including voice-over-IP calling records. However, the bill only applies to phone records, and it provides an exemption for law enforcement, which means that law enforcement officials can bypass the judicial subpoena process and use false and fraudulent representations to gain access to the telephone records. * * * * * * * * * * * * * * * * * * * * * * * * National ID Cards Last year’s passage of the Real ID Act has resulted in much criticism from individual states, who will now bear the cost of meeting the federal government’s standard for issuing state driver's licenses and identification cards. States have also noticed that the records retention and information sharing requirements of Real ID could trump the Drivers Privacy Protection Act. With less than 18 months to go before the deadline for state compliance, the Department of Homeland Security has still not released the Real ID Act Regulations. Potential problems with requiring identification documents were highlighted by an incident at UCLA last fall. An Iranian student who was quietly studying in the campus library was detained by the police and shot several times with a police taser when he failed to provide an identity document. An independent investigation of the incident is ongoing. * * * * * * * * * * * * * * * * * * * * * * * * ====================================================================== ISSUES TO WATCH IN 2007 ====================================================================== Privacy Oversight and the New Congress After several years of complaining about one-party rule, the Democrats will get their chance to hold the gavel when the 110th Congress convenes in January. The hearings on the privacy rights of Americans, the misspent funds on surveillance technology, and the flagrant abuse of law could be interesting to watch, particularly in committees where administrations officials have stonewalled members of Congress. Can anyone spell S-U-B-P-O-E-N-A? * * * * * * * * * * * * * * * * * * * * * * * * REAL ID Not So Real? Almost two years ago, the White House and a powerful Congressman pushed through legislation to turn the state drivers license into a quasi-National ID Card. But the Department of Homeland Security has been slow to embrace the law, Rep. Sensenbrenner is no longer Chairman, and already legislation has been introduced to repeal Real ID. Add in an estimated cost of over 11 billion dollars and 2007 may be the end of the short-lived US experiment with a national identity system. * * * * * * * * * * * * * * * * * * * * * * * * Renewed Interest in Medical Records Privacy The 109th Congress ended without passing controversial Health IT legislation that would have exposed Americans' most sensitive medical records on an electronic network. According to congressional aides and lobbyists, lawmakers will go back to the drawing board in the new year and craft new legislation rather than reintroduce the same bills that ground to a halt in negotiations between the houses. The private sector will be developing its own electronic medical systems, such as the Applied Materials, BP America, Inc., Intel Corporation, Pitney Bowes, Inc. and Wal-Mart –funded Dossia system, announced in late 2006. How long before medical record identity theft and security breaches? * * * * * * * * * * * * * * * * * * * * * * * * EU-US Privacy Showdown The US will face more battles in 2007 with the Europeans about the use of European data. A temporary agreement on the collection passenger data has been hammered in the European Parliament. And the terrorist scoring for European tourists has even frequent flyers canceling upgrades. * * * * * * * * * * * * * * * * * * * * * * * * "No-swipe" credit cards Watch for further development on "contactless" credit cards as Congress wakes up to the dangers of RFID technology. Credit cards that contain RFID microchips have earned the nickname "spychips" because the information they contain can be read without an individual's knowledge or consent. In December, a member of the Senate Banking Committee denounced RFID "no-swipe" credit cards, stating that contracts for the cards should have warning boxes disclosing "the known weaknesses of the technology", such as the risk of identity theft. * * * * * * * * * * * * * * * * * * * * * * * * Cell Phone Tracking and Spim Those tiny cellphone screens are about to get a little busier. Verizon ended 2006 with the news it will place banner ads on cell phone displays. Meanwhile, the police are hoping to avoid those burdensome warrant requirements with new search procedures that will enable location tracking of cellphone users. Even devices in the off position send a signal. Time for the tin foil. * * * * * * * * * * * * * * * * * * * * * * * * Privacy in Second Life The virtual world is seeming less virtual. Real estate speculators, law school professors, tech journalists and event planners are all moving online, dressing their avatars in hip new outfits. But what happens when Second Life and Real Life collide? * * * * * * * * * * * * * * * * * * * * * * * * Databanks of Children Even before they get a cellphone or an IM account, kids will find their private lives in new government databases, tracking everything from drug dosages to grades in math. Simple privacy idea: make sure that kids know what schools know about them. Second idea: hold schools liable for the misuse of information that is collected. * * * * * * * * * * * * * * * * * * * * * * * * Sex Blogging When Washingtonienne Jessica Cutler put her sexcapades online, she launched a new era in privacy law. Are bloggers responsible for the private facts of others they put online? Is it political speech? Is it a diary? Or is it just very uncool? One federal court will get to answer these questions this year. * * * * * * * * * * * * * * * * * * * * * * * * Smarter Cameras, More Surveillance Two technology trends may converge in 2007 as the ability to process digital images is gradually incorporated in cameras designed for surveillance. This means that cameras in public spaces might be able to scan crowds and match images against databases of facial images, such as the state DMV records. Other applications could include backscatter x-ray devices that look under clothes for weapons and explosive devices. The systems are unlikely to be very reliable, but they will raise new privacy issues. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, visit http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------ End EPIC 2006 Year in Review ------------------ .