EPIC logo

                          E P I C  A l e r t
Volume 10.06                                             March 26, 2003

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.

Table of Contents

[1] PATRIOT Act Secrecy Challenged; DoD Appeals EPIC FOIA Victory
[2] EPIC Testifies at European Parliament on Air Travel Privacy
[3] Senate Wants Answers on Controversial Air Security System
[4] EPIC Launches FOIA Gallery; Issues Privacy Report on WHOIS
[5] Data Industry Initiates Anti-Privacy Credit Campaign
[6] News in Brief
[7] EPIC Bookstore: The Naked Society
[8] Upcoming Conferences and Events

[1] PATRIOT Act Secrecy Challenged; DoD Appeals EPIC FOIA Victory

In a legal memorandum filed with the federal court in Washington on
March 21, EPIC and the American Civil Liberties Union, joined by
library and booksellers' organizations, challenged the Justice
Department's refusal to disclose basic, statistical information
concerning implementation of the controversial USA PATRIOT Act.  The
groups argue that the withheld information is critical to the public's
ability to evaluate the new surveillance powers; to determine whether
the government is using the new powers appropriately; to determine
whether the new powers should be renewed before they "sunset" in 2005;
and to determine whether further expansion of the government's
surveillance authority is warranted.

FBI documents that have been disclosed through the Freedom of
Information Act lawsuit reveal that the Bureau is aggressively using a
sweeping power that -- without the approval of a judge -- allows the
government to force banks, Internet service providers, telephone
companies, and credit agencies to turn over their customers' records.
Through the issuance of "National Security Letters" (NSLs) the
government can obtain records about people living in the United States
(including American citizens) without probable cause that the person
has committed any crime.  Entities that are required to turn over
information are prohibited from disclosing the fact that the FBI has
demanded the records.  Documents released by the FBI show that the
Bureau has issued enough "Transactional Records NSLs" since October
2001 to fill six pages of logs. It is not possible to determine
exactly how many times the power has been employed because the actual
log entries are entirely blacked out.

In another FOIA development, the Defense Department has appealed a
district court ruling that cleared the way for EPIC to receive
documents concerning DoD's Total Information Awareness (TIA) project.
U.S. District Judge John Bates ruled on January 16 that EPIC is
entitled to "preferred fee status" under the FOIA and ordered the
Pentagon to "expeditiously" process EPIC's almost year-old request for
information concerning Admiral John Poindexter and the Information
Awareness Office (see EPIC Alert 10.01).  While the Pentagon's appeal
of that ruling is not likely to prevent the release of material
concerning the TIA program, the Defense Department appears to be
seeking an appeals court determination that EPIC will not be entitled
to preferred fee status in the future.

The legal memorandum challenging PATRIOT Act secrecy is available at:


Information on the EPIC/ACLU PATRIOT Act FOIA litigation, including
copies of DOJ and FBI documents that have been released, is available


The district court decision granting EPIC preferred FOIA fee status is
available at:


[2] EPIC Testifies at European Parliament on Air Travel Privacy

On March 25, EPIC Policy Counsel CÚdric Laurant testified at a hearing
on "Data Protection Since 11 September 2001: What Strategy for
Europe?"  The public seminar, organized by the European Parliament's
Committee on Citizens' Freedoms and Rights, Justice and Home Affairs,
discussed emerging threats to data protection in both the private and
the public sectors in the European Union.

EPIC's testimony focused on the implications of new U.S. passenger
profiling schemes for the privacy interests of European travelers.
Laurant discussed several U.S. government projects that involve the
profiling of European airline passengers traveling to the United
States and within Europe, including passenger profiling, Total
Information Awareness, and the Advanced Passenger Information System.

Earlier, the European Commission brokered an arrangement to allow the
Department of Homeland Security access to Passenger Name Records held
by European airlines.  The European Parliament severely criticized
this proposal and passed a resolution on March 13 stating that there
was no legal basis for the plan.  The Parliament also warned that it
would open the door to "de facto 'data-mining.'"

EPIC informed the Parliament about efforts in the U.S. to stop these
surveillance projects and urged the European Parliament to keep close
watch on the data-mining and profiling schemes as they move forward to
ensure that the legal rights of European citizens are not abridged.

Representatives of the European Commission, the European Data
Protection Working Party, and other data protection experts also
attended the event.

EPIC Statement for European Parliament Seminar:


European Parliament Hearing:


EPIC's Web page on Surveillance of European Air Travelers:


[3] Senate Wants Answers on Controversial Air Security System

The Senate Commerce Committee approved an amendment on March 13 that
would begin to open the controversial Enhanced Computer Assisted
Passenger Pre-Screening System (CAPPS-II) to Congressional scrutiny. 
The Transportation Security Administration (TSA)'s proposed passenger
profiling system aims to conduct background risk assessments on all
air travelers before they fly.  In this year's budget request, the
agency asked for an additional $45 million to support the development
of the system. Another $30 million was appropriated for the system in
the FY 2003 budget.

The profiling system will rely on experimental data-mining technology
to sift through data from various commercial and government databases,
assigning different "risk scores" to passengers.  Based on these
scores, passengers will either be denied boarding, subjected to a more
intrusive physical search, or passed through normal screening.  In
February, TSA assigned a contract to Lockheed Martin to supply the
software.  The commercial database providers have yet to be

TSA is testing CAPPS-II with Delta Airlines in three mid-size airports
this spring and plans to implement the profiling system throughout the
country by the summer of 2004.  In January, the agency issued a
Privacy Act notice about the system.  Many commenters (including EPIC)
argued that the notice violated the Privacy Act.  Responding to the
wave of criticism following the notice, the TSA is currently
attempting to develop privacy and security safeguards for the
profiling scheme.

The Senate Committee's amendment would require TSA to produce a
written report on the impact of the profiling system on the privacy
and civil liberties of United States citizens.  The report, if
mandated by Congress, would specifically address six issues:

     (1) What are the rules for data storage?
     (2) How will the risk scoring be conducted?
     (3) What is the role of third party vendors?
     (4) What will be the safeguards against abuse?
     (5) What are the procedures for correcting errors? and
     (6) What provisions are there for ongoing oversight to
         ensure compliance with privacy and civil liberties?

The amendment was included in S. 165, the Air Cargo Security Act,
which has been favorably reported out of the Committee and is pending
approval from the Senate.

In a related effort, EPIC and a broad coalition of national
organizations wrote to the House Select Committee on Homeland Security
on March 25 urging it to stop the deployment of the CAPPS-II project
unless it can be shown to be both effective and consistent with
privacy and due process principles.  The letter raises a host of
unanswered questions about the program.  At a House hearing on
data-mining held on March 25, an official from the White House Office
of Management and Budget expressed serious reservations about the
effectiveness of the passenger profiling system and said that OMB is
examining the system very closely.  He stated, "If we can't prove it
lowers risk, it's not a good investment for government."

Senate Commerce Committee CAPPS Amendment:


Coalition letter on CAPPS II:


Mark Forman, OMB Associate Director for E-Government and Information
Technology, testimony on data-mining:


EPIC's Passenger Profiling page:


[4] EPIC Launches FOIA Gallery; Issues Privacy Report on WHOIS

March 16 marked Freedom of Information Day, an occasion for those in
the information and education communities to inform the public about
its right to access government information.  In celebration of FOI
Day, EPIC created an online FOIA Gallery to showcase documents we
obtained through the Freedom of Information Act in the past year.  The
Web site provides scanned images and brief explanations of these
documents, including evidence of the misuse of the Foreign
Intelligence Surveillance Act, video monitoring of political
protesters in Washington, DC, and the names and project titles of the
organizations receiving funding from John Poindexter for research on
Total Information Awareness.

EPIC has also authored a new online privacy report on domain name
registration information.  Current policies for the .COM/.ORG/.NET
top-level domains require the publication of a domain name
registrant's personal information, such as mailing address, email
address, telephone number, and fax number.  EPIC's WHOIS Privacy
Issues Report, released just as ICANN is considering new policies for
WHOIS data, recommends that WHOIS policies follow the Organization for
Economic Cooperation and Development (OECD) Privacy Guidelines.  The
OECD Privacy Guidelines reflect an international consensus on privacy
protection for trans-border dataflows that directly implicates WHOIS
policies and practices.

EPIC FOIA Gallery 2003:


EPIC's WHOIS Privacy Issues Report:


EPIC's new page on WHOIS and Privacy:


[5] Data Industry Initiates Anti-Privacy Credit Campaign

Data profiling companies have begun a misleading anti-privacy campaign
with the goal of preventing state legislators from passing strong
privacy laws.  The data profiling companies are seeking extension of
federal preemption in the Fair Credit Reporting Act (FCRA).  If
preemption is extended or expanded, it will prevent states from
passing consumer-friendly privacy laws.  It may also prevent state
courts from developing new protections for personal data, as the New
Hampshire Supreme Court recently did in the Amy Boyer case (see EPIC
Alert 10.04).

The new campaign is just one part of a larger strategy to strip states
of their consumer protection authority.  The data industry has also
lobbied Congress and the Department of Treasury to further its
efforts.  This week, Sen. Tim Johnson (D-SD) introduced a bill to
extend preemption.

State advocates have led the way in passing new identity theft
protections and limits on collection and use of personal data. 
Pending legislation in California would expand those protections,
providing opt-in requirements before individuals' information is
commercially exploited.  Recognizing this, the National Association of
Attorneys General passed a resolution in December 2002 opposing
preemption of state credit law.  The Attorneys General emphasized that
federal law traditionally creates a floor of protections that allows
states to pass stronger laws and serve as "laboratories of democracy."

The anti-privacy industry group, calling itself the "Partnership to
Protect Consumer Credit," includes members that would benefit
substantially from weak federal privacy law.  Members include Fannie
Mae, the National Retail Federation, the Consumer Bankers Association,
the American Financial Services Association, Capital One, Consumer
Data Industry Association, CitiGroup, Household International, JP
Morgan Chase, MasterCard, MBNA, and Morgan Stanley-Discover Financial
Services.  Several of these companies, most notably the large banks,
engage in extensive profiling with individuals' personal information;
Citibank and Chase Manhattan were both pursued by attorneys general
for selling personal information to telemarketers in recent years.

National Association of Attorneys General Statement on FCRA Reform:


EPIC's Fair Credit Reporting Act Page:


FCRA: Congress Should Allow Preemption to Expire:


Text of S. 660, a bill to extend limitations on certain provisions of
State law under the Fair Credit Reporting Act:


[6] News in Brief

Eighth Circuit Upholds Junk Fax Law

The U.S. Court of Appeals for the 8th Circuit has upheld a law that
imposes fines upon businesses that send fax advertisements without the
consent of the recipient.  The case, Missouri v. American Blast Fax,
involved a First Amendment "commercial speech" challenge to the
Telephone Consumer Protection Act (TCPA) of 1991.

  State of Missouri v. American Blast, No. 02-2705, March 21, 2003:


EPIC Urges Privacy Act Rules for Data-Miners

In comments submitted for a hearing before the House Government Reform
Subcommittee on Information Policy, EPIC described risks to privacy
and civil liberties posed by data-mining.  Relying upon documents
obtained through the Freedom of Information Act, EPIC argued that
since the government obtains volumes of personal information from
private-sector companies, Congress should extend the Privacy Act to
cover commercial information brokers.

  EPIC's comments are available at:


FBI Drops Accuracy Requirements from Criminal Records Database

The Department of Justice announced this week that it would no longer
comply with the obligation under the 1974 Privacy Act to ensure that
information maintained in the country's largest criminal database is
accurate and timely.  The National Crime Information Center provides
over 80,000 law enforcement agencies with access to a computerized
network of more than 39 million records regarding criminal activity.

  National Crime Information Center:


Groups Oppose Use of Tax Information For Marketing

EPIC and a coalition of consumer groups submitted a letter to the
Department of the Treasury warning the agency that commercial tax
preparation companies participating in the IRS Free File program are
using confidential taxpayer information to market financial products
and services to individuals.

  For more information, see the press release:


  The letter is available at:


National Do-Not-Call Legislation Enacted

President Bush has signed the Do-Not-Call Implementation Act, clearing
the way for a federal system that will allow individuals to enroll in
a registry to reduce the amount of telemarketing calls received.  The
legislation approves the Federal Trade Commission (FTC)'s plans to
collect fees from telemarketers in order to create the registry.
Telemarketers report that they have raised $1 million to defeat the
registry through lawsuits.  Thus far, three lawsuits have been brought
in federal district courts in Oklahoma, Colorado, and Washington, DC.

 Do-Not-Call Implementation Act (P.L. 108-10):


  EPIC Telemarketing Page:


National Research Council Releases Report on Biometrics and Privacy

A new report from the National Research Council examines the privacy
implications of systems designed for authentication of identity.  The
report, titled "Who Goes There? Authentication Through the Lens of
Privacy," looks at a variety of legal, policy, and technical
considerations and concludes that privacy standards should be

  The report is available online at:


Report: Pre-9/11 Problems Not Caused by Lack of Surveillance Authority

Eleanor Hill, the staff director of the Joint Senate and House 9/11
Inquiry Committee, said at an ABA Standing Committee on Law and
National Security meeting in Washington on March 18 that the pre-9/11
problems with intelligence had nothing to do with civil liberties or a
lack of additional authorities to conduct surveillance.  She said the
government had all the relevant information but failed to analyze and
combine the pieces of intelligence properly.  Hill's inquiry report
cited the failure of the FBI and CIA in sharing critical information
on a number of the terrorist hijackers.  She also said civil liberties
are integral to the traditions of the country.

  US Senate Committee on Intelligence - Publications:


[7] EPIC Bookstore: The Naked Society

The Naked Society, by Vance Packard (Van Rees Press 1964 -- out of

In "The Naked Society," Vance Packard methodically identifies the
privacy-invading forces in our culture.  Among these forces is
urbanization, which breeds a fear of crime and an accompanying
tolerance of more aggressive police tactics.  Growing American
affluence has led to more invasive marketing techniques. 
Additionally, the advance of technology constantly changes boundaries
and expectations.  Packard disdainfully describes the resulting parade
of horribles, including personality tests, employee background
investigations, sneak and peek police searches, and commercial list

Much can be gained by visiting this work from the 1960s.  One can see
parallels between past "scientific" belief in polygraph testing and
the modern-day superstition of predictive profiling.  Packard also
foreshadows the problems of collection of personal information, and
how this data could be employed for secondary, unforeseen purposes. If
edited to recognize the quickened pace of access to personal
information and the effects of aggregation, a re-publishing of "The
Naked Society" would be even more relevant today.  Packard's central
warning to society certainly remains true: that the rights of the most
upstanding citizens are only secure as long as we respect the autonomy
of the most disreputable.

Packard closes his work with a call to begin restoring privacy by
respecting it in one's own home.  In a world where children are
monitored by closed-circuit cameras and location-based devices,
Packard's advice is more important now than ever: "A child raised in
an environment where his individuality is respected will have more
inner resources to draw upon when he becomes an adult."

- Chris Jay Hoofnagle


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

** Uniting Privacy and the First Amendment in the 21st Century **

May 9-10, 2003
Oakland, CA

EPIC, the First Amendment Project, and the California Office of
Privacy Protection are sponsoring this activist symposium designed to
explore the interplay between privacy and First Amendment rights, with
the goal of developing strategies for optimizing both.

If you are interested in making a presentation or leading a Working
Group, please submit a letter outlining your proposed presentation and
including a brief explanation of the issue to be addressed, a list of
possible presenters, and the desired outcome of the session to:

For more information: http://www.epic.org/events/unitingsymposium/


Big Brother Technologies. A Choices and Challenges Forum. Center for
Interdisciplinary Studies, Virginia Polytechnic Institute and State
University. March 27, 2003. Blacksburg, VA. For more information:

Symposium on Security, Technology, and Individual Rights: the
convergence of our history, our ideals, and our innovative spirit.
Georgetown Journal of Law and Public Policy. March 27-28, 2003.
Washington, DC. For more information: <gjlpp@law.georgetown.edu>

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp2003.org/

28th Annual AAAS Colloquium on Science and Technology Policy. American
Association for the Advancement of Science. April 10-11, 2003.
Washington, DC. For more information:

Integrating Government With New Technologies '03: E-Government, Change
and Information Democracy. Riley Information Services. April 11, 2003.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars/

RSA Conference 2003. RSA Security. April 13-17, 2003. San Francisco,
CA. For more information: http://www.rsaconference.com/

**POSTPONED UNTIL MID-JUNE.** Building the Information Commonwealth:
Information Technologies and Prospects for Development of Civil
Society Institutions in the Countries of the Commonwealth of
Independent States. Interparliamentary Assembly of the Member States
of the Commonwealth of Independent States (IPA). April 22-24, 2003.
St. Petersburg, Russia. For more information:

O'Reilly Emerging Technology Conference. April 22-25, 2003. Santa
Clara, CA. For more information: http://conferences.oreilly.com/etcon/

Mid Canada Information Security Conference. Information Protection
Association of Manitoba. April 30, 2003. Winnipeg, Manitoba, Canada.
For more information: http://www.ipam.mb.ca/mcisc/

Little Sister 2003: Community Resistance, Security, Law and
Technology. May 9-11, 2003. Vancouver, British Columbia, Canada. For
more information: http://www.littlesister2003.org/

2003 IEEE Symposium on Security and Privacy. IEEE Computer Society
Technical Committee on Security and Privacy, in cooperation with the
International Association for Cryptologic Research (IACR). May 11-14,
2003. Oakland, CA. For more information:

Technologies for Protecting Personal Information. Federal Trade
Commission. Workshop 1: The Consumer Experience. May 14, 2003.
Workshop 2: The Business Experience. June 4, 2003. Washington, DC. For
more information: http://www.ftc.gov/techworkshop/

ITS-2003: Third International Conference on "Information Technologies
and Security." June 23-27, 2003. Partenit, Crimea, Ukraine. For more
information: http://www.itb.conferen.ru/eng/info_e.html

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For
more information: http://conferences.oreilly.com/oscon/

1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunk
and Science Fiction. August 11-13, 2003. Prague, Czech Republic. For
more information: http://www.inter-disciplinary.net/vhccsf03cfp.htm

Privacy2003. Technology Policy Group. September 30 - October 2, 2003.
Columbus, OH. For more information:

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

** Receive a free Observing Surveillance conference poster with
donation of $75 or more! **
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 10.06 ----------------------