======================================================================== E P I C A l e r t ======================================================================== Volume 12.15 July 28, 2005 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_12.15.html ======================================================================== Table of Contents ========================================================================  Court Rejects Agencies' "Sensitive Security" Claim in EPIC FOIA Case  EPIC Testifies on Draft House Data Security Bill  Local, State, National Organizations Battle REAL ID Implementation  Accountability Office Finds Security Agency Broke Privacy Law  After U.K. Attacks, Pressure Rises for More Surveillance in U.S.  News in Brief  EPIC Bookstore: Nat Hentoff's "War on the Bill of Rights"  Upcoming Conferences and Events ========================================================================  Court Rejects Agencies' "Sensitive Security" Claim in EPIC FOIA Case ======================================================================== In a Freedom of Information Act case brought by EPIC against three federal agencies, a federal court has held that the Transportation Security Agency and Department of Homeland Security may not withhold a document sought by the public simply by saying it contains "sensitive security information." Though federal agencies "are not required to describe the withheld portions in so much detail that it reveals the sensitive security information itself," the court said they are required to "provide a more adequate description" to explain why material is not made public. The determination came in a Freedom of Information Act suit EPIC filed last year to force DHS, TSA and the FBI to release documents detailing the agencies' efforts to obtain passenger information from commercial airlines. The suit challenged the adequacy of the FBI's search for documents in response to EPIC's FOIA request. EPIC also argued that DHS and TSA improperly withheld requested records on grounds of protecting sensitive security information, personal privacy, and the agencies' internal deliberative processes. The District Court for the District of Columbia determined that the FBI had conducted an adequate search for documents, and that DHS and TSA properly did not release some information under the FOIA. However, the court found that the agencies did not provide enough justification for numerous withholdings. In addition to its finding on "sensitive security information," the court determined that DHS and TSA did not sufficiently explain the withholding of more than twenty documents as "deliberative." The court also determined that while agency employees have a privacy interest in their identities, the agencies did not provide enough information for the court to decide whether business and agency identifiers and domain names were properly redacted to protect personal privacy. The court has ordered DHS and TSA to provide more detailed justification for these withholdings. The opinion: http://www.epic.org/privacy/airtravel/passengerdata/epic_v_dhs.pdf For more information about the case: http://www.epic.org/privacy/airtravel/passengerdata/ ========================================================================  EPIC Testifies on Draft House Data Security Bill ======================================================================== In testimony today before the House Commerce Subcommittee on Consumer Protection, EPIC West Coast Director Chris Hoofnagle urged Congress to pass strong data security legislation that includes privacy protections for use of personal information. The hearing concerned bipartisan draft legislation sparked by a series of major data security breaches. The legislation would direct the Federal Trade Commission to develop security standards applicable to all companies that possess Social Security numbers, driver's license numbers, or financial account numbers. Holders of these categories of personal information would have to give notice to their customers whenever a security breach occurred that created a "reasonable basis to conclude" that the breach "may result in identity theft." Additionally, companies would have to create a security policy, identify an employee responsible for information security, and employ preventative and corrective measures to address security vulnerabilities. Heightened responsibilities would be placed upon information brokers, such as Lexis-Nexis and Acxiom. Such companies would have to provide individuals with their personal information dossier at no cost, and be audited regularly by the FTC. The legislation would broadly preempt stronger state law and limit enforcement of violations to the FTC. EPIC's testimony focused on including privacy protections to complement the data security requirements. EPIC argued that the legislation should include the option for a "credit freeze," which enables individuals to block almost all dissemination of their credit reports. EPIC also recommended that companies be required to use audit logs to deter insiders from accessing and disclosing personal information without authorization. Data Security: The Discussion Draft of Data Protection Legislation hearing: http://www.epic.org/redirect/datahear0705.html EPIC Testimony: http://www.epic.org/privacy/choicepoint/datasec7.28.05.html EPIC's Choicepoint page: http://www.epic.org/privacy/choicepoint/ ========================================================================  Local, State, National Organizations Battle REAL ID Implementation ======================================================================== More than seventy individuals from local, state and national organizations gathered in Washington, D.C. on Wednesday for the National Driver's License Strategy Meeting convened by the American Civil Liberties Union, Electronic Privacy Information Center, National Asian Pacific American Legal Consortium, National Immigration Law Center, and National Council of La Raza. The privacy, civil liberties, and immigrant rights' groups discussed strategies to fight the implementation of the REAL ID Act, a national ID program passed in May, which mandates federal identification standards and requires that state DMVs collect sensitive personal information. Panels at the meeting discussed the national ID system's privacy and security risks; local, state and national strategies to oppose the implementation of the national ID system; and possible impacts upon different communities, including immigrant, minority, religious and gay/lesbian/bisexual/transgendered, Groups represented included the Electronic Frontier Foundation, National Governors Association, Center for New Community and National Employment Law Project. Under the REAL ID Act, state DMVs will have to verify identification documents and the legal status of immigrants. States are mandated to link their databases so that all information collected about individuals by each DMV can be accessed. The panels highlighted the grave privacy and security risks inherent in the creation of a tempting target for criminals at a time of rampant data security breaches and attacks upon DMVs by identity thieves. Rep. James Sensenbrenner, the act's sponsor, has estimated that enacting REAL ID would cost $100 million. However, Pennsylvania has estimated that it would cost more than $100 million for the state alone to implement the national ID program. Congress has not yet stated where the money to create the national ID system would come from. Panelist Nolan Jones, from the National Governors Association, estimated that REAL ID would cost $750 million over the next five years, and said that if the cost were passed onto the public, then licenses would cost about $100 to $125 each. National Driver's License Strategy Meeting: http://www.epic.org/redirect/natlidmeet0705.html EPIC's National ID Cards and REAL ID Act page: http://www.epic.org/privacy/id_cards/ EPIC National ID Conference http://www.epic.org/events/id/ Text of H.R. 418, the Real ID Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00418: ========================================================================  Accountability Office Finds Security Agency Broke Privacy Law ======================================================================== In a letter to Congress, the Government Accountability Office concluded that the Transportation Security Administration violated the Privacy Act when it obtained personal information about airline passengers from commercial data brokers during the test phase of the Secure Flight passenger prescreening program. According to the letter, "the agency did not provide appropriate disclosure about its collection, use and storage of personal information as required by the Privacy Act," and "the public did not receive the full protections" of the law. Violations of the Privacy Act of 1974, a federal law requiring government agencies to meet certain obligations when creating and maintaining systems of records, are civilly and criminally punishable. The Department of Homeland Security Privacy Office is also investigating whether the agency violated the Privacy Act during the test phase of Secure Flight. In fall 2004, TSA published a privacy impact assessment and three notices describing the Secure Flight program, and also ordered 72 commercial airlines to turn over passenger records from June 2004 to test Secure Flight. The agency assured the public repeatedly it would not have access to or store data from commercial data aggregators during the test phase. However, according to a notice and privacy impact assessment published in the Federal Register on June 22, TSA obtained passenger name records enhanced with commercial data during the testing of Secure Flight. The commercial data, which was obtained by contractor EagleForce Associates from commercial data brokers, included such information as name, home address, phone number, date of birth, and gender. EagleForce then provided the enhanced passenger records to TSA on CD-ROMs for use in watch list match testing. TSA continues to store this data. In a series of comments to the Department of Homeland Security, EPIC has repeatedly urged that the agency follow Privacy Act requirements when it gathers personal information on travelers. In a letter to Homeland Security Secretary Michael Chertoff in response to the GAO's findings, Senators Susan Collins and Joe Lieberman stated that "careless missteps such as this jeopardize the public trust and DHS' ability to deploy" Secure Flight. The GAO letter to Congress: http://www.gao.gov/new.items/d05864r.pdf TSA Nov. 15, 2004 Notice of Final Order: http://www.epic.org/redirect/noti904.html TSA June 22, 2005 System of Records Notice: http://www.epic.org/redirect/tsa62205.html Letter from Sens. Lieberman and Collins to Secretary Chertoff: http://www.epic.org/redirect/sens0705.html EPIC's Secure Flight Page: http://www.epic.org/privacy/airtravel/secureflight.html ========================================================================  After U.K. Attacks, Pressure Rises for More Surveillance in U.S. ======================================================================== A news series of bombings in London have increased pressure in the U.S. for more surveillance programs. There have been calls to significantly expand video surveillance systems and police have begun randomly searching subway, bus, ferry and railway riders in New York City and its New Jersey suburbs. Washington, D.C., is considering random searches of its mass transit riders, and is observing New York's tactics. New York Sen. Hillary Clinton called for subway officials to install more cameras, even though New York officials said about 5,000 cameras are already in use throughout the city's travel system. Department of Homeland Security officials recently announced they would spend almost $10 million to install hundreds of surveillance cameras and sensors on a rail line near the Capitol. London has 200,000 cameras, and more than 4 million cameras have been deployed throughout the country. The average Briton is seen by 300 cameras per day, according to estimates. Despite the extensive surveillance system, the recent bombings were not prevented. A recent EPIC Spotlight on Surveillance highlighted the ineffectiveness of such camera surveillance systems, and found the systems' minimal security benefit is not worth the significant risks to privacy. Studies have found that such camera networks have little effect on crime, and that it is more effective to place more officers on the streets and improve lighting in high-crime areas. In 2002, EPIC launched the Observing Surveillance project. The project includes a map of camera locations in areas of downtown Washington, D.C., which indicates both the locations of surveillance cameras installed by the D.C. Metropolitan Police Department and the projected surveillance radius of those cameras. New York City and New Jersey police have begun conducting random searches of packages and backpacks carried by more than 5 million daily mass transit passengers. These searches have prompted questions about racial and ethnical profiling, and about the legality of the searches, conducted on people who are not suspected of any criminal wrongdoing. EPIC May Spotlight on Surveillance About Camera Systems: http://www.epic.org/privacy/surveillance/spotlight/0505/ Observing Surveillance Web Site: http://www.observingsurveillance.org/ ========================================================================  News in Brief ======================================================================== EDRI Launches Petition Against Data Retention European Digital Rights and Dutch ISPs XS4ALL and Bit have launched an international petition against mandatory data retention. EDRI argues that retention of telecommunication traffic data is an invasive tool that interferes with privacy rights and data retention is illegal under Article 8 of the European Convention on Human Rights. EDRI also argues that security gained from retention may be illusory, as traffic data may easily point to another user, and the means through which this policy is being pursued are illegitimate. EDRI and ISP petition against data retention (in English and French): http://www.dataretentionisnosolution.com/ EPIC's International Data Retention page: http://www.epic.org/privacy/intl/data_retention.html New EPIC Page Describes 'Flash Cookies' Internet cookies used to be a treat for marketers looking for ways to measure advertising response, but that has changed. A recent study by international research advisory organization JupiterResearch has found that nearly 60 percent of American Internet users have deleted cookies from their computers in order to avoid being tracked online. One company has proposed to track users through a feature in Macromedia Flash software. "Flash cookies" make it possible for Web sites to track users, even if they delete their normal cookies. EPIC's new Flash Cookies page describes what they are, and how to prevent being tracked by them. EPIC's Flash Cookies page: http://www.epic.org/privacy/cookies/flash.html JupiterResearch press release about its study: http://www.epic.org/redirect/jupiter0705.html Justice Department Launches Online National Sex Offender Database The Department of Justice has posted a nationwide sex offender Web site, which provides public access to sex offender information from 21 states and the District of Columbia searchable by name, ZIP code, county, city, state, or nationwide. According to the site, the database will provide "one-stop access" to registries from all 50 states by the end of the year. Each state posts different information about sex offenders, but profiles can include detailed personal data such as the individual's name, date of birth, residential address, work address, age, weight, height, hair color, eye color, race, gender, identifying marks, one or more photographs, offense, conviction information, known aliases, and age of victim. In an amicus brief to the Supreme Court, EPIC argued in 2002 that "Megan's law statutes which permit registry dissemination on the Internet are excessively invasive of the privacy of released offenders." Department of Justice National Sex Offender Public Registry: http://www.nsopr.gov/ EPIC Amicus Brief, Smith v. Doe (US 2003) (pdf): http://www.epic.org/privacy/meganslaw/godfrey_amicus.pdf Smith v. Doe (US 2003) http://www.oyez.org/oyez/resource/case/1607/abstract/ EPIC Publishes Memo on Recruiting Database, Privacy Act Violations EPIC has released a memorandum describing the Department of Defense recruiting database. The memorandum discusses the sources of the data and the Privacy Act violations in the creation of the database. Of particular concern is the use of commercial data brokers and Social Security numbers. Pending resolution of these issues, EPIC urges the department to immediately suspend the use of the database. EPIC memorandum (pdf): http://www.epic.org/privacy/student/epic_dod_71505.pdf EPIC's DOD Recruiting Database page: http://www.epic.org/privacy/student/doddatabase.html Deadline Approaches to Comment on Telemarketing Laws According to DMNews, a publication focusing on direct marketing, 8,100 people have filed comments with the Federal Communications Commission in opposition to petitions filed by telemarketers that would weaken protections against telemarketing. The petitions seek to preempt, or supercede state laws that are stronger than federal law. These state laws prohibit telemarketers from making "pre-recorded voice" calls, or from exploiting a "business relationship" loophole that allows calls to those on the Do-Not-Call Registry. EPIC is urging consumers to comment in support of state anti-telemarketing laws until the deadline for public participation, Friday July 29, 2005. EPIC's Telemarketing Preemption page: http://www.epic.org/privacy/telemarketing/preemptiveattack.html FCC Comment Filing System page: http://www.epic.org/redirect/fccef0705.html Two Canadian Law Firms Rebuked for Privacy Breaches The Office of the Information and Privacy Commissioner of Alberta, Canada, recently rebuked two Canadian law firms for publishing personal employee information on a public Web site. Stikeman Elliott LLP of Toronto and Montreal and Shtabsky & Tussman LLP of Edmonton violated Alberta's Personal Information Protection Act by disclosing home addresses and social insurance numbers in connection with a corporate buyout. The office recommended that both law firms conduct comprehensive privacy training and education programs with its lawyers and staff. Alberta Privacy Commissioner report (pdf): http://www.oipc.ab.ca/ims/client/upload/P2005_IR_005.pdf EPIC Opposes Council of Europe Convention on Cybercrime In a statement to the Committee on Foreign Relations, EPIC has urged the United States Senate to oppose ratification of the Council of Europe Convention on Cybercrime. EPIC cited the sweeping expansion of law enforcement authority, the lack of legal safeguards, and the impact on US Constitutional rights. EPIC statement (pdf): http://www.epic.org/privacy/intl/senateletter-072605.pdf EPIC's Cybercrime Convention page: http://www.epic.org/privacy/intl/ccc.html Build-A-Bear Workshops Build a Marketing Database on Kids Build-A-Bear Workshops are where kids construct and customize their own teddy bears, and even create a birth certificate for them. The company also gathers personal information on its young customers. When kids access computers to make bear birth certificates, they are asked to submit their name, birth date, gender, home address and an e-mail address. Children are required to opt-out of receiving unsolicited offers by unchecking boxes authorizing Build-A- Bear to contact kids with special offers and promotions. EPIC's Privacy and Consumer Profiling page: http://www.epic.org/privacy/profiling/ ========================================================================  EPIC Bookstore: Nat Hentoff's "War on the Bill of Rights" ======================================================================== Nat Hentoff, War on the Bill of Rights And the Gathering Resistance (Seven Stories Press, 2003) http://www.epic.org/bookstore/powells/redirect/alert1215.html "The Constitution, said Supreme Court Justice Antonin Scalia ominously in March, 2003, just sets minimums. Most of the rights that you enjoy go way beyond what the Constitution requires. In The War on the Bill of Rights-and the Gathering Resistance, nationally syndicated columnist and Village Voice mainstay Nat Hentoff draws on untapped sources-from reporters, resisters, and civil liberties law professors across the country to administration insiders-to piece together the true dimensions of the current assault on the Constitution and the Bill of Rights. The first draft of the USA PATRIOT Act to go to Congress included the suspension of habeas corpus. The proposed sequel (PATRIOT Act II) would make it possible to revoke U.S. citizenship, and, for the first time in history, authorize secret arrests. Both Patriot Acts increase electronic surveillance of Americans, with minimal judicial supervision. Hentoff refocuses attention on domestic surveillance initiatives established by unilateral executive actions, such as Operation TIPS and the Total Information Awareness System, both still quietly functioning. Hentoff chronicles the inevitable rise of citizen's groups against these gross infringements, comparing today's Bill of Rights Defense Committees to Samuel Adams's Sons of Liberty, whose campaign against the British helped to precipitate the American Revolution. Afforded little coverage in the major media, the Bill of Rights Defense Committees now have spread to nearly one hundred cities and towns nationwide. Hentoff quotes Lance Morrow, who wrote, If Americans win a war (not just against Saddam Hussein but the longer-term struggle) and lose the Constitution, they will have losteverything." ================================ EPIC Publications: "Privacy & Human Rights 2004: An International Survey of Privacy Laws and Developments" (EPIC 2004). Price: $35. http://www.epic.org/bookstore/phr2004 This survey, by EPIC and Privacy International, reviews the state of privacy in more than sixty countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, as well as recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2003: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price: $40. http://www.epic.org/bookstore/pls2003 The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00& EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================  Upcoming Conferences and Events ====================================================================== Access to Information: Analyzing the State of the Law. Riley
Information Services. September 8, 2005. Ottawa, Ontario. For more
information: http://www.rileyis.com/seminars/ 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/ Conference On Passenger Facilitation & Immigration: Newest trends in achieving a seamless experience in air travel International Air Transport Association (IATA) and Singapore Aviation Academy (SAA) October 3-5, 2005 Singapore Aviation Academy. For more information: http://www.saa.com.sg/conf_pax_fac/ Access & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry of Government Service's Access & Privacy Office. October 6- 7, 2005. Toronto, Ontario. For more information: http://www.governmentevents.ca/apw2005/ Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of
"Privacy and Human Rights." October 20-21, 2005, Auditorio Alberto
Lleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo de
Estudios en Internet, Comercio Electrónico, Telecomunicaciones e
Informática (GECTI), Law School of the Universidad de los Andes, Bogota,
Colombia, Computer Professional for Social Responsibility-Peru
(CPSR-Perú). For more information: