EPIC logo

                          E P I C  A l e r t
Volume 10.04                                          February 24, 2003

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.

Table of Contents

[1] Data Sellers May Be Liable for Sale of Personal Information
[2] EPIC Files Comments at FTC Workshop on Cross-Border Fraud
[3] Senator Proposes Domestic Spy Agency; Bush Launches Threat Center
[4] Congress Passes "Do-Not-Call" Legislation
[5] EPIC Comments on Proposed Airline Passenger Database
[6] Privacy International Seeks "Stupid Security" Contest Submissions
[7] EPIC Bookstore: Hong Kong Data Privacy Law
[8] Upcoming Conferences and Events

[1] Data Sellers May Be Liable for Sale of Personal Information

The New Hampshire Supreme Court issued an important decision on
February 18 in Remsburg v. Docusearch, a civil lawsuit brought against
information brokers and private investigators for selling personal
data about Amy Boyer to a stalker who murdered her after using that
information to locate her.  Boyer's killer obtained information about
her through Docusearch, a data brokerage firm run by private
investigators, who used pretexting to obtain Boyer's employment
address and other information.  EPIC filed an amicus brief in the
case, arguing that that private investigators and information brokers
should be liable for wrongful privacy invasions of third parties about
whom they are collecting and disseminating information.

The court held that private investigators and information brokers have
a duty to exercise reasonable care when the sale of personal
information creates a risk to the individual being investigated.  The
court found that stalking and identity theft are two foreseeable harms
that give rise to the duty to exercise care.  In a significant
expansion of privacy protection, the court held that the investigators
could be liable for damages resulting from the sale of information
obtained through pretexting.  This holding exceeds federal protections
against pretexting phone calls, which were enacted with the passage of
the Gramm-Leach-Bliley Act.  Finally, the court held that individuals
may have a tort cause of action against investigators who purchase
their Social Security Numbers (SSNs) from credit reporting agencies
without permission.  The court noted, "While a SSN must be disclosed
in certain circumstances, a person may reasonably expect that the
number will remain private."

Now that the New Hampshire Supreme Court has ruled, the case will be
remanded to a federal district court where a trial will proceed to
determine whether Docusearch and the other defendants were actually
liable for Amy Boyer's death.

New Hampshire Supreme Court Decision in Remsburg v. Docusearch:


EPIC's Amicus Brief:


EPIC's Amy Boyer Case Page:


Amy Boyer Memorial and Informational Web Site:


[2] EPIC Files Comments at FTC Workshop on Cross-Border Fraud

On February 20, the Federal Trade Commission (FTC) explored "Potential
Partnerships Among Consumer Protection Enforcement Agencies and
Internet Service Providers and Web Hosting Companies" and "Cooperation
Between Consumer Protection Enforcement Agencies and Domain
Registration Authorities" as two panels of a public workshop on
partnerships against cross-border fraud.  EPIC submitted statements
for inclusion in both of these panels.

In the "Potential Partnerships" panel, the discussion first focused on
trying to assess how Internet Service Providers (ISPs) and Web hosting
companies could more efficiently share their subscribers' personal
information with the FTC and foreign law enforcement authorities in
the context of cross-border fraud.  EPIC's statement asserted that the
FTC's foremost role is to protect consumers' privacy, and that the
debate should be refocused to concentrate less on how privacy rules
may represent a hurdle for law enforcement and more on how the FTC
could articulate its law enforcement activities with the task of
protecting the privacy of defrauded consumers.  To develop cooperation
and information-sharing partnerships between the public and private
sectors in the context of consumer fraud investigations, EPIC
recommended to the FTC that the Organization for Economic Cooperation
and Development (OECD) Privacy Guidelines be used as a trans-national
legal framework to protect the privacy of consumers in the context of
the international transfer of personal information.  Because such
guidelines have served as a model for several national data protection
laws, they should foster consumer confidence by providing strong
principles for the protection of consumer privacy.  EPIC's statement
also addressed many of the privacy implications of cross-border
transfers of personal information in consumer fraud investigations.

During the panel on "Cooperation Between Consumer Protection
Enforcement Agencies and Domain Registration Authorities", the FTC
considered the expanded use of information about Internet domain name
registrants for law enforcement purposes.  In particular, the
Commission explored how domain registrars and registries could improve
the accuracy of WHOIS data in the generic top-level domains.  WHOIS
data consists of domain name registrants' contact information,
administrative contact information, and technical contact information
-- all of which include mailing address, email address, telephone
number, and fax number -- as well as domain name, domain servers, and
other information.  This data is globally, publicly accessible.  EPIC
recommended that the FTC address the privacy, free speech, and
consumer fraud implications of requiring domain name registrants to
provide accurate personal information.  EPIC also emphasized that the
FTC plays a critical role both in investigating consumer fraud and
protecting consumers from fraud.  Specifically, the FTC advises
consumers not to disclose personal information, and if consumers
choose to disclose personal information, they should know who is
collecting the information, why the information is being collected,
and how it is going to be used.  EPIC argued that the same criteria
should be applied to WHOIS data.

EPIC's statement on "Potential Partnerships Among Consumer Protection
Enforcement Agencies and Internet Service Providers and Web Hosting


EPIC's statement on "Cooperation Between Consumer Protection
Enforcement Agencies and Domain Registration Authorities":


FTC public workshop on "Public/Private Partnerships to Combat Cross-
Border Fraud":


[3] Senator Proposes Domestic Spy Agency; Bush Launches Threat Center

On February 13, Senator John Edwards (D-NC) introduced a bill, S. 410,
that would authorize the creation of a "Homeland Intelligence Agency."
The bill, titled the "Foreign Intelligence Collection Improvement Act
of 2003," would create a domestic intelligence agency modeled after
Britain's MI5 Security Service, but would incorporate what are
characterized as innovative civil liberties safeguards.  Sen. Edwards
argues that the law enforcement and intelligence gathering functions
of the Federal Bureau of Investigation (FBI) are fundamentally
inconsistent, and that the country needs an agency focused solely on
domestic intelligence.  The proposed agency would take over the
intelligence functions of the FBI and would also obtain control over
the domestic intelligence functions of the Central Intelligence Agency
(CIA), National Security Agency (NSA), and other intelligence

To balance the unprecedented centralization of domestic surveillance
power, S. 410 proposes a system of rigorous internal auditing,
enhanced public reporting and congressional oversight.  The Homeland
Intelligence Agency would have an Office of Privacy and Civil
Liberties Protection, along with an independent Citizens Advisory
Board, to monitor the operations of the agency.  The bill proposes
that the Privacy Act's Fair Information Practices would apply to the
collection of intelligence information and that the agency would
conduct privacy impact assessments for its surveillance proposals.  It
also promises strong guidelines on data mining activities.

The Foreign Intelligence Collection Improvement Act is predicated on
two assumptions: that a law enforcement agency cannot and should not
have intelligence capabilities, and that there is a need for greater
domestic intelligence gathering power.  It is not clear, however, that
either of these assumptions holds true.  While Congress is unlikely to
act upon the bill in the near term, it provides a concrete alternative
solution to the debate about how to conduct lawful domestic
intelligence gathering.  Such proposals need to be analyzed carefully
on their merits for potential ideas and problems.

Responding to criticisms about inadequate cooperation between the
various intelligence agencies, the White House announced the creation
of the Terrorist Threat Information Center (TTIC) on January 28.
According to the press release, the TTIC will be implemented in three
phases.  In its initial stage, TTIC will primarily focus on the
production of integrated terrorist threat analysis for senior
policymakers.  In the second phase of implementation, TTIC will be the
principal gateway for policymaker requests for analysis of potential
terrorist threats to U.S. interests, and will maintain a database of
known and suspected terrorists.  In its final stage, TTIC will serve
as the hub for all terrorist threat-related analytic work. TTIC will
be located in a facility separate from CIA and FBI Headquarters, but
will be under the Director of Central Intelligence.  The FBI,
meanwhile, is establishing an intelligence program to ensure that the
collection and dissemination of intelligence is given the same
institutional priority as the collection of evidence for prosecution. 
A new Executive Assistant Director for Intelligence will be given
direct authority and responsibility for the FBI's national
intelligence program.

S. 410, Foreign Intelligence Collection Improvement Act of 2003:


Fact Sheet, Strengthening Intelligence to Better Protect America:


[4] Congress Passes "Do-Not-Call" Legislation

Congress has passed legislation to implement the Federal Trade
Commission's Do-Not-Call (DNC) list.  The legislation, H.R. 395,
the Do-Not-Call Implementation Act, passed by unanimous consent in the
Senate, and by a 418-7 vote in the House.  The measure was sponsored
by House Energy and Commerce Committee Chairman Billy Tauzin (R-LA).

The FTC will now move forward with implementation of its DNC list.  It
is expected to be operational by Fall 2003.  However, to prevent its
operation, the telemarketing industry has filed suit challenging the
list.  That case, US Security v. FTC, was filed on January 29, 2003, in
federal court in Oklahoma.

The legislation now goes to the White House, where it is predicted
that President Bush will sign the bill.

H.R. 395 is available at:


EPIC's Telemarketing Page:


[5] EPIC Comments on Proposed Airline Passenger Database

EPIC has submitted comments on a Transportation Security
Administration (TSA) proposal to create a new database of Aviation
Security Screening Records on all airline passengers.  This proposed
database was disclosed for the first time in a Privacy Act notice
published in the Federal Register on January 15, 2003.  EPIC argued
that the notice did not provide sufficient information for the public
to contribute meaningfully to this rule-making procedure.  In fact,
the TSA has resisted requests EPIC brought under the Freedom of
Information Act (FOIA) to provide public access to relevant
information in the agency's possession about the TSA proposal.

According to the Federal Register notice, the TSA proposes to collect
passenger manifest information on all airline travelers and store it
in a large centralized database.  The manifest information includes
"Passenger Name Records (PNR) and associated data."  This includes
date and time of flights, flight number, destination, reservation
information, and payment information.  According to the notice, the
TSA would store the records until the "completion of the individual's
air travel to which the record relates."  The TSA also proposes to
collect and store data on "individuals who are deemed to pose a
possible risk to transportation or national security."  If a person is
determined to be a "risk" under this opaque (and possibly arbitrary
and/or discriminatory) procedure, the data will be stored for 50
years.  The TSA, to date, has provided absolutely no information about
how a passenger is determined to be a "possible risk to transportation
or national security."  They also give no information about how such a
person might become aware of his or her categorization, and how that
categorization might be legally challenged.  Indeed, one could argue
that simply purchasing a ticket makes an individual a "possible" risk
to transportation.  The TSA proposes that if a person is determined to
be a risk, the database will also be populated by detailed data about
that person, including "risk assessment reports; financial and
transactional data; public source information; proprietary data; and
information from law enforcement and intelligence sources."

EPIC has requested that the TSA answer the following questions to
enable better informed public comments on the merits of their

  (a) What is the aim of the Passenger Database? Is it the
      foundation of CAPPS-II (the TSA's data mining initiative
      similar Total Information Awareness) or is it an
      integrated watch list?

  (b) What procedure will determine if a person is a "risk"?

  (c) How does a person become aware of being tagged as a "risk"?

  (d) How can that determination be legally challenged? and

  (e) what specifically are the policy and security safeguards to
      protect the Passenger Database?

The comments also discussed the privacy and security risks of the
CAPPS-II initiative and the need for greater transparency for the
other projects that are currently being pursued by the TSA.

EPIC's Comments:


DOT Electronic Docket:


[6] Privacy International Seeks "Stupid Security" Contest Submissions

Privacy International, a privacy watchdog group based in London, is on
a quest to find the world's most "stupid" security measure.  In order
for a particular security measure to be considered "stupid," it should
be one or more of the following: pointless, intrusive, annoying, or

The "Stupid Security" award aims to highlight the absurdities of the
security industry.  Privacy International director Simon Davies said
the group had launched the contest as a result of numerous security
initiatives around the world that had absolutely no genuine security

The competition is open to everyone, and will be judged by a panel of
well-known security experts, public policy specialists, privacy
advocates, and journalists.  Nominations will be accepted until March
15, 2003.  Winners will be announced at the 13th Annual Computers,
Freedom & Privacy conference in New York on April 3, 2003.

For more information, see:


Nominations can be sent to:


[7] EPIC Bookstore: Hong Kong Data Privacy Law

Mark Berthold and Raymond Wacks, "Hong Kong Data Privacy Law:
Territorial Regulation in a Borderless World" (Thomson, Sweet &
Maxwell Asia 2002)


It may surprise some in the West to learn that Hong Kong has one of
the most advanced privacy laws in the world.  But to those in the data
protection field, the Hong Kong Data Privacy Law is a well known model
for the protection of information privacy in the modern era.  The
Ordinance, as it is called, is derived from both the European Union
Data Directive and international norms for privacy protection,
including Article 12 of the Universal Declaration of Human Rights and
Article 19 of the International Covenant on Civil and Political

This is also a privacy law with teeth.  As Raymond Tang (the current
Privacy Commissioner for Personal Data) notes, the Ordinance has been
the subject of over 98,000 inquiries, 3,400 investigations, and 55
appeals before the statutory Administrative Appeals Board.  This is a
privacy law that requires careful study, and this new text from
Thomson delivers.

Mark Berthold and Raymond Wacks have set out an extraordinarily useful
overview of privacy law in Hong Kong and also the larger issues of
privacy protection in the online world.  The book details the
operation of the Hong Kong Data Privacy Ordinance.  It provides useful
interpretation of key provisions, as well as reports and analysis of
various cases decided under the law.  Researchers, practitioners, and
consumer advocates will find the text invaluable.

Berthold and Wacks have also made a significant contribution to the
larger study of privacy protection in a borderless world.  The text
explores the impact of the Internet as well as the various
technologies that both enhance and undermine privacy.  In the final
chapter the authors consider a range of important matters for policy
makers around the world -- drafting privacy law, developing codes of
practice, understanding the role of the privacy commissioner --
drawing often on the experience of Hong Kong and its own law.  Their
conclusion has universal application: "A well drafted, properly
enforced and socially accepted data privacy regime provides a
construct and valuable means by which to check the relentless, but far
from inevitable, assault on our personal data and privacy."

- Marc Rotenberg

Office of the Privacy Commissioner for Personal Data, Hong Kong:


EPIC / Privacy International, "Privacy and Human Rights: An
International Survey of Privacy Law and Developments" 196-205
(EPIC 2002) (Discussion of Hong Kong)



EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

** Uniting Privacy and the First Amendment in the 21st Century **

May 9-10, 2003
Oakland, CA

EPIC, the First Amendment Project, and the California Office of
Privacy Protection are sponsoring this activist symposium designed to
explore the interplay between privacy and First Amendment rights, with
the goal of developing strategies for optimizing both.

If you are interested in making a presentation or leading a Working
Group, please submit a letter outlining your proposed presentation and
including a brief explanation of the issue to be addressed, a list of
possible presenters, and the desired outcome of the session to:

For more information: http://www.epic.org/events/unitingsymposium/


Third Annual Privacy & Data Security Summit: Implementing & Managing
Privacy in a Complex Environment. International Association of Privacy
Professionals. February 26-28, 2003. Washington, DC. For more
information: http://www.privacyassociation.org/html/conferences.html

Quality Labels for Web Sites: Alternative Approaches to Content Rating.
Programme in Comparative Media Law and Policy (PCMLP), Oxford
University. February 27, 2003. Kirchberg, Luxembourg. For more
information: http://saferinternet.org/news/Quality-label-workshop.asp

The Law and Technology of DRM: What will DRM technologies mean for the
future of information? University of California, Berkeley, School of
Information Management and Systems and Boalt Hall School of Law.
February 27 - March 1, 2003. Berkeley, CA. For more information:

Legal and Pedagogical Aspects of a Safer Internet. Safer Internet For
Knowing and Living (SIFKaL). February 28, 2003. Kirchberg, Luxembourg.
For more information: http://rechtsinformatik.jura.uni-sb.de/sifkal/

Spectrum Policy: Property or Commons? Stanford Law School Center for
Internet and Society. March 1, 2003. For more information:

Improving Identification: Enhancing Security, Guarding Privacy. The
Communitarian Network. March 6, 2003. Washington, DC. For more
information: <mdunkelman@communitariannetwork.org>

Identity Theft: Current Enforcement and Prevention Efforts. New York
City Bar Association, Committee on Consumer Affairs. March 12, 2003.
New York, NY. For more information: <jgreenbaum@fkkslaw.com>

P&AB's Privacy Practitioners' Workshop and Ninth Annual National
Conference. Privacy & American Business. March 12-14, 2003.
Washington, DC. For more information:

Big Brother Technologies. A Choices and Challenges Forum. Center for
Interdisciplinary Studies, Virginia Polytechnic Institute and State
University. March 27, 2003. Blacksburg, VA. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp2003.org/

28th Annual AAAS Colloquium on Science and Technology Policy. American
Association for the Advancement of Science. April 10-11, 2003.
Washington, DC. For more information:

Integrating Government With New Technologies '03: E-Government, Change
and Information Democracy. Riley Information Services. April 11, 2003.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars/

RSA Conference 2003. RSA Security. April 13-17, 2003. San Francisco,
CA. For more information: http://www.rsaconference.com/

Building the Information Commonwealth: Information Technologies and
Prospects for Development of Civil Society Institutions in the
Countries of the Commonwealth of Independent States.
Interparliamentary Assembly of the Member States of the Commonwealth
of Independent States (IPA). April 22-24, 2003. St. Petersburg,
Russia. For more information: http://www.communities.org.ru/conference/

O'Reilly Emerging Technology Conference. April 22-25, 2003. Santa
Clara, CA. For more information: http://conferences.oreilly.com/etcon/

Mid Canada Information Security Conference. Information Protection
Association of Manitoba. April 30, 2003. Winnipeg, Manitoba, Canada.
For more information: http://www.ipam.mb.ca/mcisc/

Technologies for Protecting Personal Information. Federal Trade
Commission. Workshop 1: The Consumer Experience. May 14, 2003.
Workshop 2: The Business Experience. June 4, 2003. Washington, DC. For
more information: http://www.ftc.gov/techworkshop/

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For
more information: http://conferences.oreilly.com/oscon/

Privacy2003. Technology Policy Group. September 30 - October 2, 2003.
Columbus, OH. For more information:

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

** Receive a free Observing Surveillance conference poster with
donation of $75 or more! **
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 10.04 ----------------------