======================================================================= E P I C A l e r t ======================================================================= Volume 10.16 August 6, 2003 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_10.16.html ====================================================================== Table of Contents ====================================================================== [1] TSA Issues CAPPS II Notice; Expands System [2] Data Privacy Bill Introduced; Admiral Poindexter To Resign [3] Bill Introduced to Reverse PATRIOT Act Provisions [4] GAO Privacy Act Report Indicates Need for Better Compliance [5] Researchers Find Flaws in Electronic Voting [6] News in Brief [7] EPIC Bookstore: Secure Coding: Principles & Practices [8] Upcoming Conferences ====================================================================== [1] TSA Issues CAPPS II Notice; Expands System ====================================================================== The Transportation Security Administration (TSA) has released a supplementary Privacy Act notice outlining its plans to administer the Enhanced Computer Assisted Passenger Profiling System (CAPPS II). The agency claims that CAPPS II will enhance transportation security by relying upon private-sector database companies to identify passengers, and a set of secret procedures to perform a risk assessment on travelers. Passengers will be assigned a risk score by CAPPS that could subject them to heightened security screening or detention. The notice is more specific about the TSA's planned collection, use, and storage of personal information than an earlier release in January 2003, but fundamental privacy problems with CAPPS remain. The system establishes a government checkpoint on almost all commercial aviation that could be extended to other forms of transportation, or even to security at government buildings. In a significant expansion of the program, TSA announced that CAPPS II will not only scan for suspected terrorists, but also for those wanted for violent crimes. The notice announces TSA's plans to allow a "passenger advocate" to provide access to information in CAPPS, along with an appeals process to address errors. However, the notice exempts CAPPS II from a number of Privacy Act requirements, including duties to grant access to personal information, duties to make an accounting of disclosures of personal information, provisions that limit the scope of information that can be maintained by the agency, and accountability provisions that apply criminal penalties for misuse of personal information. Any member of the public can comment on the CAPPS II notice until September 30, 2003. The TSA CAPPS II Notice is available at: http://www.epic.org/redirect/capps_notice.html More information about CAPPS II and air travel privacy is available at EPIC's Air Travel Privacy Page: http://www.epic.org/privacy/airtravel ====================================================================== [2] Data Privacy Bill Introduced; Admiral Poindexter To Resign ====================================================================== Senator Ron Wyden (D-OR) has introduced S. 1484, the Citizens' Protection in Federal Databases Act. The bill would require the Departments of Justice, Defense, Homeland Security, Treasury, Central Intelligence Agency, and the Federal Bureau of Investigation to submit a report to Congress on use of private-sector databases, or lose funding for purchasing personal information from companies such as ChoicePoint and Lexis-Nexis. The report must give a detailed description of the contracts that the agencies have with private sector profilers. The report will also cover how the agencies access personal information, how data mining is being employed, the type of data purchased, the purposes for which the information is used, whether there are security or audit mechanisms in place, and data retention practices. The bill prohibits using data mining without some suspicion of criminal wrongdoing. That provision was included to prohibit the use of so called "red teams" that would invent hypothetical scenarios for possible terrorists attacks and then search databases to detect traces of their fabricated plans. In a separate development, Admiral John Poindexter, chief of the Defense Advanced Research Projects Agency's Information Awareness Office, will resign. Controversy surrounded Poindexter's appointment to the office, where he spearheaded research projects that had highly invasive applications, such as Total Information Awareness (TIA) and Human ID at a Distance. Poindexter was well known in the computer security community for his involvement in National Security Decision Directive Number 145, a 1984 policy that would have given the National Security Agency control over security for all government computer systems containing "sensitive but unclassified" information. This was followed by a second directive that extended military authority over all computer and communications security for the federal government and private industry. The text of the Citizens' Protection in Federal Databases Act is available at: http://thomas.loc.gov/cgi-bin/query/z?c108:S.1484: Information about how private sector profilers use public records information is available at EPIC's Public Records Page: http://www.epic.org/privacy/publicrecords FBI Documents Detailing Use of Private Sector Databases are available at: http://www.epic.org/privacy/publicrecords/cpfbippt.pdf The text of NSDD 145 is available at: http://www.fas.org/irp/offdocs/nsdd145.htm Information about Total Information Awareness is available at EPIC's Total Information Awareness Page: http://www.epic.org/privacy/profiling/tia ====================================================================== [3] Bill Introduced to Reverse PATRIOT Act Provisions ====================================================================== Senator Lisa Murkowski (R-AK) has introduced a bill meant to address risks to civil liberties posed by the USA PATRIOT Act. The Protecting the Rights of Individuals Act (PRIA), cosponsored by Senator Ron Wyden (D-OR), is intended to curtail considerable law enforcement search and seizure powers now permitted under the USA PATRIOT Act. If enacted, the PRIA would require law enforcement agencies to obtain court orders to conduct electronic surveillance, and would heighten judicial oversight of law enforcement monitoring of certain telephone and Internet communications. Law enforcement officials could delay notification of an issued warrant or court order only when immediate notification might jeopardize an investigation or threaten the physical safety of an individual. Law enforcement agencies attempting to place roving wiretaps on telephones would have to demostrate to a judge that a crime has been, or will be, committed. The PRIA would also limit the Federal Bureau of Investigations's ability to access such personal information as an individual's medical, library, and Internet records without demonstrating probable cause that the individual is an agent of a foreign power. In addition, the PRIA would forbid data-mining without explicit authorization from Congress, and would require the Office of the Attorney General to publish annual reports disclosing certain aspects of its search activities under the USA PATRIOT Act. Further, the bill would restrict law enforcement requests to libraries to turn over information regarding Internet use by library patrons to the investigation standards provided in the Foreign Intelligence Surveillance Act (FISA). In related news, the American Civil Liberties Union (ACLU) recently filed the first legal challenge to the USA PATRIOT Act. In MCA, et al. v. Ashcroft and Mueller, the ACLU alleges that the broad scope of FBI search power authorized by the USA PATRIOT Act violates the First, Fouth, and Fifth Amendments of the Constitution. The text of the Protecting the Rights of Individuals Act is available at: http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s1552: Information about the USA PATRIOT Act is available at EPIC's USA PATRIOT Act Page: http://www.epic.org/privacy/terrorism/usapatriot Additional information about USA PATRIOT Act developments is available at EPIC's PATRIOT II Page: http://www.epic.org/privacy/terrorism/patriot2.html Information about the Foreign Intelligence Surveillance Act (FISA) is available at EPIC's FISA Page: http://www.epic.org/privacy/terrorism/fisa The ACLU's Complaint in MCA, et al. v. Ashcroft and Mueller is available at: http://www.aclu.org/Files/getfile.cfm?id=13247 ====================================================================== [4] GAO Privacy Act Report Indicates Need for Better Compliance ====================================================================== On July 30, the General Accounting Office (GAO) released a report finding that compliance with the Privacy Act by government agencies is inconsistent and, as a result, individuals cannot be assured that their privacy rights are being protected. The report, "Privacy Act: OMB Leadership Needed to Improve Agency Compliance," was initiated at the request of Sen. Joseph Lieberman (D-CT), Ranking Minority Member of the Senate Committee on Governmental Affairs. The Privacy Act requires that a governmental agency observe certain procedures when it is collecting personal information that is retrieved by a personal identifier. These procedures call for the agency to collect only necessary information, provide public notice when creating or altering record-keeping systems, and safeguard the information. The GAO, studying a cross section of 25 agencies and systems ranging from files of five persons to 290 million persons, found that respondents' compliance with the Privacy Act ranged from 70 percent to 100 percent. The GAO estimates that for 10 percent of the systems kept, agencies allow individuals to access personal information over the Internet. Privacy officers at the subject agencies explained the need for more oversight and guidance by the Office of Management and Budget (OMB) in order to increase compliance. As a result, GAO's overarching recommendation was for increased OMB oversight. The OMB, charged with setting forth guidelines and regulations for agency implementation of the Privacy Act, disagreed with the report's conclusion and recommendations, finding the statements "reckless and irresponsible" based on the compliance data. While the GAO was careful to conclude that the lack of compliance does not mean that the government will not protect individuals' privacy rights, it did make clear that, under these circumstances, privacy protection cannot be assured. The GAO report, "Privacy Act: OMB Leadership Needed to Improve Agency Compliance," is available at: http://www.gao.gov/new.items/d03304.pdf The text of the Privacy Act is available at: http://thomas.loc.gov/cgi-bin/bdquery/z?d093:SN03418: ====================================================================== [5] Researchers Find Flaws in Electronic Voting ====================================================================== A recent study conducted by computer science researchers at Johns Hopkins University has found that electronic voting systems contain "significant security flaws" that may subject election results to fraud by both voters and those involved in election administration. process. The researchers conducted the study using source code found on the Internet that is believed to be the proprietary code of the AccuVote-TS touch-screen voting system produced by Diebold Election Systems. The study found that the voting machines' use of "smartcards" renders the system vulnerable to tampering by voters as well as "insiders such as poll workers, software developers and even janitors," all of whom could cast multiple votes due to the voting system's failure to provide a means to track such misconduct. The report was also critical of the system's failure to provide a paper "audit trail" that can be reviewed by voters for accuracy. The researchers conclude that "there appears to have little quality control in the [software development] process." The researchers' report urges openness in the software development process to facilitate the creation of better quality electronic voting software. Alternatively, the researchers recommend that electronic voting systems include a voter-verifiable paper audit trail to ensure accuracy in the voting process. Diebold voting machines have already been used in elections in Maryland, Georgia, California, and Kansas, among other locations. Maryland election officials recently ordered $55.6 million worth of touch-screen voting equipment from Diebold in preparation for the implementation of electronic voting throughout the state. The Johns Hopkins researchers' report "Analysis of an Electronic Voting System" is available at: http://www.avirubin.com/vote.pdf More information about electronic voting is available at: http://www.verifiedvoting.org To sign a petition urging voter-verifiable ballot trails, see: http://www.verifiedvoting.org/resolution.asp ====================================================================== [6] News in Brief ====================================================================== CA Fed. Court Rules that FCRA Preempts Local Privacy Law In a serious setback to privacy rights, a federal district court in the Northern District of California has ruled that the Fair Credit Reporting Act preempts city ordinances that established certain heightened privacy protections. The ordinances, enacted in several California cities and counties, required financial institutions to obtain opt-in consent before sharing personal information amongst affiliated and non-affiliated entities. The ordinances were intended to supplement the federal Gramm-Leach-Bliley Act (GLBA), which sets weak, opt-out standards for information sharing among non-affiliates, and does not allow any choice in regards to affiliate sharing. The court invalidated opt-in requirements for affiliate sharing, but upheld an opt-in standard for non-affiliate information sharing. The court's decision is likely to be appealed, as Congress clearly intended to allow states to regulate information sharing in passing the GLBA. The opinion in Bank of America v. Daly City, Nos. 02-4343 & 02-4943 (N.D. Cal. July 29, 2003) is available at: http://www.epic.org/privacy/glba/boavdalycity.pdf Homeless Tracking System Announced The Department of Housing and Urban Development announced its guidelines for "Homeless Management Information Systems" (HMIS). HMIS is a standard system for tracking homeless persons and the services rendered to them. Entities that provide services would collect their names, Social Security Numbers, dates of birth, race, gender, health status (including HIV, pregnancy, and domestic violence), veteran status, and income information. Although the plan does not call for a national, centralized database, the information collected could easily facilitate the creation of a national database in the future. Furthermore, law enforcement, Secret Service, and National Security access to the database would be nearly unlimited. The guidelines are open to public comment until September 22, 2003. HUD Homeless Management Information Systems webpage: http://www.hud.gov/offices/cpd/homeless/hmis Colleges Seek to Quash P2P Subpoenas Under FERPA Boston College and the Massachusetts Institute of Technology are relying upon the Federal Educational Rights and Privacy Act (FERPA) to invalidate subpoenas directed to the institutions that seek the identity of students using peer-to-peer file sharing systems. The Recording Industry Association of America issued the subpoenas in an attempt to bring suit against students operating popular file sharing systems on the campuses. The subpoenas, issued under the Digital Millennium Copyright Act (DMCA) present a serious risk to privacy as they allow a copyright holder to determine the identity of an Internet user without meaningful due process. The EPIC Letter on P2P Monitoring in Higher Education is available at: http://www.epic.org/privacy/student/p2pletter.html More information about education privacy is available at EPIC's FERPA Page: http://www.epic.org/privacy/student ====================================================================== [7] EPIC Bookstore: Secure Coding: Principles & Practices ====================================================================== Mark G. Graff and Kenneth R. van Wyk, Secure Coding: Principles & Practices (O'Reilly 2003). http://www.powells.com/cgi-bin/biblio?inkey=4-0596002424-0 Attacks on computer systems and networks occur today at an alarming rate. Worms, malevolent mail, and distributed denial of service attacks undermine systems around the globe--from banks to major e-commerce sites to critical infrastructure computers. Despite their many manifestations and targets, nearly all attacks have one fundamental cause: the code underlying these computers and networks is not secure. Finally, a book takes aim at the fundamental problem challenging the very future of the Internet. Packed with expert advice based on the authors' decades of experience, Secure Coding sheds light on the economic, psychological, and practical reasons why security vulnerabilities are so ubiquitous today. Much more than a technical tome, this concise and engaging book is a call to arms, a challenge to all of us to finally make a commitment to building secure code. The future of technology may very well depend on our heeding the call. ================================ EPIC Publications: "The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2002: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $25. http://www.epic.org/bookstore/phr2002/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including data protection, telephone tapping, genetic databases, video surveillance, location tracking, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Chaos Communication Camp 2003: The International Hacker Open Air Gathering. Chaos Computer Club. August 7-10, 2003. Paulshof, Altlandsberg, Germany. For more information: http://www.ccc.de/camp/ 1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunk and Science Fiction. August 11-13, 2003. Prague, Czech Republic. For more information: http://www.inter-disciplinary.net/vhccsf03cfp.htm NSF Cyber Trust Point Meeting. Johns Hopkins University Information Security Institute. AUGUST 13-15, 2003. Baltimore, Maryland. For more information: http://www.jhuisi.jhu.edu/institute/cybertrust.html Voting Machines: A Threat To Democracy? The Ethical Society. September 7, 2003. Philadelphia, Pennsylvania. For more information: http://www.phillyethics.net Surveillance and Privacy 2003: Terrorists and Watchdogs. Baker & McKenzie Cyberspace Law and Policy Centre and Univeristy of New South Wales Law Faculty. September 8-9, 2003. Sydney, Australia. For more information: http://www.bakercyberlawcentre.org/2003/Privacy_Conf/ 25th International Conference of Data Protection and Privacy Commissioners. September 10-12, 2003. Sydney, Australia. For more information: http://www.privacyconference2003.org/ WWW2003: 5th Annual Conference on World Wide Web Applications. Department of Information Studies, Rand Afrikaans University, and the Department of Information Systems and Technology, University of Durban-Westville. September 10-12, 2003. Durban, South Africa. For more information: http://www.udw.ac.za/www2003/ Making Intelligence Accountable, September 19-20, 2003. Oslo, Norway. The Geneva Centre for the Democratic Control of Armed Forces. For more information: http://www.dcaf.ch/news/Intel%20Acct_Oslo%200903/ws_mainpage.html Privacy2003. Technology Policy Group. September 30-October 2, 2003. Columbus, OH. For more information: http://www.privacy2000.org/2003/index.html Getting the Technology You Deserve: Community Participation in Regional Cable Franchise Policy. Computer Professionals for Social Responsibility. October 25, 2003. Seattle, Washington. For more information: http://www.cpsr.org/conferences/annmtg03/ ICANN Meeting. Internet Corporation for Assigned Names and Numbers. October 27-31, 2003. Carthage, Tunisia. For more information: http://www.icann.org/carthage/ ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via e-mail: To: epic_news-request@mailman.epic.org Subject: "subscribe" or "unsubscribe" (no quotes) Automated help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Problems or questions? e-mail < info@epic.org > Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 10.16 ---------------------- .