EPIC logo





=======================================================================
                         E P I C  A l e r t
=======================================================================
Year in Review                                        January 4, 2007
-----------------------------------------------------------------------

                          Published by the
            Electronic Privacy Information Center (EPIC)
                          Washington, D.C.
                           
          http://www.epic.org/alert/EPIC_Alert_yir2006.html

======================================================================
       2 0 0 6   P R I V A C Y   Y E A R   I N   R E V I E W
======================================================================

Congress returns to Washington this week and privacy issues are likely
to get renewed attention with unresolved questions about the President's
domestic surveillance program, the future of Real ID, and the growth of
the data broker industry. Meanwhile courts will consider sex bloggers
and the media will try to sort through the increasingly complicated
world of surveillance technology.

Here are the Top Ten Privacy Stories of 2006 and Ten Privacy Issues to
Watch in 2007 from the Electronic Privacy Information Center (EPIC):

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Millions of Military Records Go Missing

In 2006, a stolen laptop with the records of 27 million American
veterans and active duty military personnel gripped the nation and
produced Congressional hearings, new legislation, and new policies for
government employees who take their work home with them. Veterans
Affairs Secretary Jim Nicholson tried to explain to Congress why it took
almost two weeks before he was notified about the missing data which
included information on 1.1 million active service members, 430,000
National Guardsmen, 645,000 Reserve members and the names, birth dates
and Social Security numbers of about 26 million people, most of them
veterans.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * 

Identity Theft Keeps Top Spot

The Federal Trade Commission once again found identity theft leading the
list of the Top 10 consumer complaints, accounting for 255,000 of the
686,000 complaints filed with the agency. That is the sixth year in
a row that identity theft topped the list. The FTC also found an
increase in child ID theft, wire transfer payment fraud, and that
Internet-related complaints accounted for 46 percent of all fraud
complaints.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

NSA Domestic Spying

Last year, news reports revealed that President Bush secretly issued an
executive order in 2002 authorizing the National Security Agency to
conduct warrantless surveillance of international telephone and Internet
communications on American soil. In May, USA Today reported that US
telephone companies turned over records on millions of American citizens
to the government without any judicial oversight. Then in August a
federal judge ruled that the government's warrantless wiretapping
program is unconstitutional. Judge Anna Diggs Taylor said the program
violates the rights to free speech and privacy as well as separation of
powers. Recent release of Pentagon documents shows that counterterrorism
resources were used to monitor American peace groups opposed to the war
in Iraq and military recruitment.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

H-P Spy Scandal

We hate to admit it, but the Hewlett-Packard spy scandal was one of the
top privacy stories of the year. Who would have imagined that the
directors of Silicon Valley's high-tech icon would send private
investigators to dig into the telephone records of board members and
journalists? Still, we wonder if government agents sifting through the
phone records of millions of American citizens without judicial
oversight would have provided a better reason to hold primetime
Congressional hearings.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Choicepoint Gets Privacy Religion

In 2005 the data broker and former recipient of a Big Brother Award was
caught selling personal information about 185,000 American consumers to
a criminal ring engaged in identity theft. In 2006, the company was hit
with a $15 million fine, the largest penalty in Federal Trade Commission
history. Then Choicepoint went on a privacy campaign, providing
consumers with rights to access certain records and cutting back on some
of its more egregious business practices.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Passenger Profiling and Terrorist Scoring

Congress suspended the Secure Flight program after significant privacy
and security risks were uncovered. Meanwhile, the Department of Homeland
Security revealed that a "risk assessment" program, which is essentially
a terrorist risk rating, was expanded from  screening shipping cargo to
scrutinizing travelers. The Automated Targeting System mines a vast
amount of data to create a "risk assessment" on hundreds of millions of
people per year, a label that will follow them for the rest of their
lives, as the data will be retained for 40 years. According to a report
by the Government Accountability Office more than 30,000 travelers have
already been mistakenly linked to names on terror watch lists when they
crossed the border, boarded commercial airliners or were stopped for
traffic violations.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Digital Strip Searches

Sky Harbor International Airport located in Phoenix is slated to be the
first US airport to field test a new "backscatter X-ray" system. The
screening machines, which were supposed to be operational by
mid-December, have already been plagued with technical difficulties that
have delayed the testing period until sometime in 2007. The backscatter
machines produce photo-quality images of metal, plastic and organic
materials underneath clothes by using low-radiation X-rays, which reveal
not only prohibited items but also medical details such as prosthetic
devices and old injuries. The fact that the machines are designed
to record and store images has largely escaped notice by the mainstream
media.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * 

Europeans Battle US Over Privacy

Tension over data sharing between Europe and the US was highlighted in
disputes over the transfer of European financial records and European
travel records to the US government. European privacy officials
concluded that SWIFT violated data protection laws when it secretly
transferred records of millions of private financial transactions to
American intelligence agencies. The European Court of Justice struck
down the passenger name record deal that allowed the transfer of
personal information on European travelers to the US government.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * 

Congress Passes Phone Pretexting Bill

Last summer, Hewlett-Packard's use of pretextng to investigate directors
and journalists sparked renewed Congressional interest in the technique
to obtain personal information by fraudulent means. So Congress passed
the Law Enforcement and Phone Privacy Protection Act, which creates
federal criminal penalties for pretexters who access telephone records
- including voice-over-IP calling records. However, the bill only
applies to phone records, and it provides an exemption for law
enforcement, which means that law enforcement officials can bypass the
judicial subpoena process and use false and fraudulent representations
to gain access to the telephone records.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

National ID Cards

Last year’s passage of the Real ID Act has resulted in much criticism
from individual states, who will now bear the cost of meeting the
federal government’s standard for issuing state driver's licenses and
identification cards. States have also noticed that the records
retention and information sharing requirements of Real ID could trump
the Drivers Privacy Protection Act. With less than 18 months to
go before the deadline for state compliance, the Department of
Homeland Security has still not released the Real ID Act Regulations.

Potential problems with requiring identification documents were
highlighted by an incident at UCLA last fall. An Iranian student who
was quietly studying in the campus library was detained by the police
and shot several times with a police taser when he failed to provide an
identity document. An independent investigation of the incident is
ongoing.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * 

======================================================================
ISSUES TO WATCH IN 2007
======================================================================

Privacy Oversight and the New Congress

After several years of complaining about one-party rule, the Democrats
will get their chance to hold the gavel when the 110th Congress convenes
in January. The hearings on the privacy rights of Americans, the
misspent funds on surveillance technology, and the flagrant abuse of
law could be interesting to watch, particularly in committees where
administrations officials have stonewalled members of Congress. Can
anyone spell S-U-B-P-O-E-N-A?

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

REAL ID Not So Real?

Almost two years ago, the White House and a powerful Congressman
pushed through legislation to turn the state drivers license into
a quasi-National ID Card. But the Department of Homeland Security
has been slow to embrace the law, Rep. Sensenbrenner is no longer
Chairman, and already legislation has been introduced to repeal
Real ID. Add in an estimated cost of over 11 billion dollars and
2007 may be the end of the short-lived US experiment with a national
identity system.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Renewed Interest in Medical Records Privacy 

The 109th Congress ended without passing controversial
Health IT legislation that would have exposed Americans' most sensitive
medical records on an electronic network. According to congressional
aides and lobbyists, lawmakers will go back to the drawing board in the
new year and craft new legislation rather than reintroduce the same
bills that ground to a halt in negotiations between the houses.

The private sector will be developing its own electronic medical
systems, such as the Applied Materials, BP America, Inc., Intel
Corporation, Pitney Bowes, Inc. and Wal-Mart –funded Dossia system,
announced in late 2006. How long before medical record identity
theft and security breaches?

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

EU-US Privacy Showdown

The US will face more battles in 2007 with the Europeans about the
use of European data. A temporary agreement on the collection
passenger data has been hammered in the European Parliament. And
the terrorist scoring for European tourists has even frequent
flyers canceling upgrades.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

"No-swipe" credit cards

Watch for further development on "contactless" credit cards as Congress
wakes up to the dangers of RFID technology. Credit cards that contain
RFID microchips have earned the nickname "spychips" because the
information they contain can be read without an individual's knowledge
or consent. In December, a member of the Senate Banking Committee
denounced RFID "no-swipe" credit cards, stating that contracts for the
cards should have warning boxes disclosing "the known weaknesses of the
technology", such as the risk of identity theft.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Cell Phone Tracking and Spim

Those tiny cellphone screens are about to get a little busier. Verizon 
ended 2006 with the news it will place banner ads on cell phone
displays. Meanwhile, the police are hoping to avoid those burdensome
warrant requirements with new search procedures that will enable
location tracking of cellphone users. Even devices in the off position
send a signal. Time for the tin foil.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Privacy in Second Life

The virtual world is seeming less virtual. Real estate speculators,
law school professors, tech journalists and event planners are
all moving online, dressing their avatars in hip new outfits. But
what happens when Second Life and Real Life collide?

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Databanks of Children

Even before they get a cellphone or an IM account, kids will find
their private lives in new government databases, tracking everything
from drug dosages to grades in math. Simple privacy idea: make sure
that kids know what schools know about them. Second idea: hold
schools liable for the misuse of information that is collected.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Sex Blogging

When Washingtonienne Jessica Cutler put her sexcapades online, she
launched a new era in privacy law. Are bloggers responsible for the
private facts of others they put online? Is it political speech? Is it
a diary? Or is it just very uncool? One federal court will get to
answer these questions this year.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Smarter Cameras, More Surveillance

Two technology trends may converge in 2007 as the ability to process
digital images is gradually incorporated in cameras designed for
surveillance. This means that cameras in public spaces might be able to
scan crowds and match images against databases of facial images, such
as the state DMV records. Other applications could include backscatter
x-ray devices that look under clothes for weapons and explosive
devices. The systems are unlikely to be very reliable, but they will
raise new privacy issues.

======================================================================
About EPIC
======================================================================

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information, visit
http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite
200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248
(fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:

      http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

------------------ End EPIC 2006 Year in Review  ------------------

.