EPIC logo

                          E P I C  A l e r t
Volume 10.10                                               May 23, 2003

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


Table of Contents

[1] Pentagon Submits Report on Info Awareness Project
[2] EPIC Testifies at Senate Spam Hearing
[3] Justice Department Reports on PATRIOT Act Implementation
[4] FTC Workshop on Technologies for Protecting Personal Information
[5] EPIC Obtains ChoicePoint Documents in FOIA Suit
[6] News in Brief
[7] EPIC Bookstore: Invisible Punishment
[8] Upcoming Conferences and Events

[1] Pentagon Submits Report on Info Awareness Project

On May 20, the Pentagon's Defense Advanced Research Projects Agency
(DARPA) submitted its congressionally-mandated report on the Total
Information Awareness Program (TIA), now re-named the "Terrorism"
Information Awareness Program.  The name change, according to DARPA,
was necessary because the original name "created in some minds the
impression that TIA was a system to be used for developing dossiers on
U.S. citizens."

Congress required DARPA to provide responses to five questions. 
First, a detailed accounting of the funds, proposed expenditure plans,
and target dates for deployment; second, an analysis discussing the
likely efficacy of the surveillance program; third, an analysis of the
likely impact on privacy and civil liberties; fourth, an accounting of
the current laws that would govern information being sought by TIA and
any modifications to the laws that TIA might require; and finally,
Congress asked for recommendations, endorsed by the Attorney General,
for practices, procedures, and regulations to eliminate or minimize
adverse effects on privacy and other civil liberties.

DARPA's report describes the program's goals and budget information,
its efforts to develop protections for the data it plans to collect,
and an explanation of how it intends to comply with U.S. laws.  The
report reveals that DARPA is building a prototype for the Army's
Intelligence and Security Command (INSCOM) for the Information
Dominance Center (re-named Information Operations Center).  In
addition, the report discloses more information about projects such as
"Scalable Social Network Analysis," "Activity Recognition and
Monitoring," and "Next-Generation Face Technology" that has not been
publicly reported.

The Information Awareness Office, whose mission is described as
developing technologies to "counter asymmetric threats by achieving
total information awareness," is pursuing the development of four
different categories of technologies.  First the umbrella program, the
Information Awareness prototype; second, tools for collaboration and
decision support; third, language translation programs; and fourth,
data storage, mining and information classification technologies.

In response to questions about the legal restrictions surrounding the
collection of data for the information awareness program, DARPA states
that it will only use information that is legally obtainable by the
Federal government.  This includes information available to
intelligence agencies.  The report does not discuss the role of the
judicial branch or the legislative branch in limiting or overseeing
executive branch powers.  The report also suggests that Pentagon
officials view privacy as a question of developing appropriate
classification of information and authorization for government
officials.  This is in contrast to genuine privacy protections, such
as the Fair Information Practices embodied in the Privacy Act, which
limits the collection of information and provides opportunities for
access and correction of records to provide due process rights to

The public report provides an opportunity for more informed public
debate over the TIA program and its goals.  EPIC has made available
TIA contractor documents it obtained under the Freedom of Information
Act to enable greater public oversight of the surveillance program. 
Congress will need to determine if DARPA has fully answered the
questions required by law.  It must also determine whether the
operational deployment of information awareness technology in the
Army's INSCOM is permitted under restrictions preventing the
technology from being deployed against U.S. persons without explicit
Congressional approval. 

The DARPA report on TIA is available at:


EPIC's Total Information Awareness Page:


[2] EPIC Testifies at Senate Spam Hearing

The Senate Commerce Committee explored Unsolicited Commercial Email,
or "spam," at a hearing on May 21.  EPIC Executive Director Marc
Rotenberg testified on the need for strong, effective measures to
reduce spam.  Other panelists included FTC Commissioners Orson Swindle
and Mozelle Thompson, AOL Vice Chairman Ted Leonsis, the CEO of
Brightmail, a leading anti-spam company, a representative from the
Network Advertising Initiative, and Ronnie Scelson, a spammer.  EPIC's
testimony argued in favor of "opt-in" mailing lists, a private right
of action for consumers, and freedom for states to pursue spammers,
combined with technical measures and international cooperation.

Rotenberg noted that spam is increasing rapidly and threatens to choke
email communications, but that it is a complex problem to solve.
Legislation alone will not stop spam, but could play an important
role.  A multi-tiered approach that includes aggressive enforcement,
better technology for identifying and filtering spam, and cooperation
at the state and international level would all be necessary.  The
Transatlantic Consumer Dialogue (TACD) has called for international
cooperation in helping consumers fight unsolicited commercial
messages.  He pointed out that legislative responses to the spam
problem might set precedents for other emerging communications media
where unsolicited commercial messages are sent to consumers.

Rotenberg argued that technical solutions such as filtering tools or
the blocking of incoming emails may not be sufficient.  Filters or
blocking tools would be either ineffective or might overblock
important messages from friends or business.  Solutions must also be
sensitive to the constitutional implications; a requirement for
instance, to identify the sender of non-commercial messages would be

FTC Commissioner Thompson told the committee that legislation was
needed, while Commissioner Swindle argued that technological solutions
would provide a better fix.  They agreed to provide the committee with
a set of policy recommendations within 45 days based on information
from the FTC's recent Spam Forum.  AOL's Leonsis argued in favor of
federal legislation that would assist AOL's efforts to combat spam.
The Network Advertising Initiative supported strong legislation to
prohibit deception and fraud through spam, but opposed legislation
requiring companies to obtain opt-in consent before sending
unsolicited commercial messages.  They also seek federal preemption of
state laws.  The most colorful witness, Scelson, who is a self
identified spammer, made a commercial free speech defense of his
activities.  He accused AOL and other Internet Service Providers of
spamming their own members and entering contracts with spammers who
agreed to pay a higher price to reach the ISPs' users.

EPIC's testimony is available at:


Senate Commerce Committee witness list and testimony:


[3] Justice Department Reports on PATRIOT Act Implementation

The Justice Department has released a sixty-page report that provides
fresh insights into its use of the USA PATRIOT Act surveillance
powers. The report responds to a series of critical questions posed by
the House Judiciary Committee that sought to understand what the
department was doing to fight terrorism and protect civil liberties.
The report describes the operational changes initiated by the new
Attorney General Guidelines and the Foreign Intelligence Surveillance
Review Court opinion that brought down the "wall" between intelligence
and law enforcement.  Additionally, the report provides information on
data-mining activities currently underway at the department and DOJ's
assistance in the development of the airline passenger profiling
program.  Finally, DOJ classified sections of the report addressing
its foreign intelligence guidelines under Executive Order 12333 and
how it conducted three successive "sweeps" of Arab American and South
Asian communities since September 11.

The report attempts to play down the government's use of the new
powers, while at the same time showing that they have been crucial in
disrupting terrorist plots.  The examples used to illustrate the use
of the new authorities are in many cases unrelated to terrorism, such
as credit card fraud, kidnapping, drugs, and theft. The report
provides some new statistics on the use of delayed notification
searches and seizures under Section 213 of the PATRIOT Act.

The report discloses that following the FISA Review Court's
endorsement of the Attorney General's new Guidelines that weakened the
"wall" between intelligence and criminal investigations, criminal
prosecutors are reviewing 4,500 intelligence files for evidence or
information for use in criminal cases.  The department notes that
criminal investigations and immigration enforcement are "key
preventative tools" for counter terrorism and that information
obtained through the FISA is being used for those purposes.  The
report also discusses FISA procedures, training programs and field
guidelines.  Information on the department's use of other surveillance
techniques under sections 204, 206, 214, and 215 are being provided to
the Committee in classified form.

The report attempts to explain how the new Attorney General's
Guidelines allowing FBI access to publicly available information and
public spaces, including mosques, has worked in practice.  It also
discusses the Secure Counterterrorism Operational Prototype
Environment (SCOPE) and Investigative Data Warehouse, which are the
FBI's attempts to develop specialized tools to "identify and present
hidden relationships" in the data.  The data sources for data-mining
and pattern recognition include commercial data from ChoicePoint and
iMap, federal government data, and intelligence data.  DOJ
acknowledges that the use of data-mining must comply with the Privacy
Act and asserts that it provides access to data stored by the Justice
Department.  The department also disclosed the Computer Assisted
Passenger Pre-Screening Program, if implemented, proposes to use the
Violent Gang Terrorist Organization File (VGTOF) to screen airline

The Justice Department report is available at:




EPIC's Attorney General's Guidelines Page:


[4] FTC Workshop on Technologies for Protecting Personal Information

On May 14, the Federal Trade Commission (FTC) explored "Technologies
for Protecting Personal Information:  The Consumer Experience" as part
of a public workshop on role of technology for consumer privacy

During the workshop, the FTC considered consumer tools for managing
the collection and use of personal information.  EPIC commented that
the starting point for such a discussion is a clear understanding of
what is meant by privacy enhancing technologies (PETs).  PETs are
technologies or tools that eliminate or minimize the collection of
personally identifiable information.  Individuals commonly use PETs in
the physical world.  Cash, for instance, enables us to purchase items
and services without transferring any personally identifiable
information.  Digital cash could function in a similar way. 

After providing a number of examples of tools that genuinely advance
privacy, EPIC noted several common characteristics to them.  For
example, all genuine PETs:

   * limit the collection of personally identifiable information;
   * enable commerce and communication;
   * do not facilitate the collection of personal information;
   * do not force Internet users to trade privacy for convenience; and
   * do not treat privacy as a business commodity.

These are all desirable characteristics that genuinely advance privacy
and promote transactional activity in the online environment.

For more information on the workshop, see:


[5] EPIC Obtains ChoicePoint Documents in FOIA Suit

Documents obtained under a Freedom of Information Act (FOIA) lawsuit
provide more insight into how law enforcement and counterintelligence
agents are using private-sector databases to obtain personal
information.  Much of the material concerns ChoicePoint, one of the
largest data-vending firms.  The documents were heavily redacted by
the FBI, which excised "ChoicePoint information," even when the
information appeared in news stories collected by the agency.

An FBI memorandum titled "Guidance Regarding the Use of ChoicePoint
for Foreign Intelligence Collection or Foreign Counterterrorism
Investigations" analyzes law enforcement use of ChoicePoint in the
context of federal privacy laws and the Attorney General's Guidelines.
The memorandum rationalizes use of private-sector databases as the
"least intrusive means" of collecting personal information and
concludes that ChoicePoint can be used for foreign intelligence and
counterintelligence investigations.

A presentation titled "The FBI's Public-Source Information Program
Fact Versus Fiction" highlights the agency's access to property
records, professional licenses, news articles, driver and DMV records,
census records, and credit headers.  It lists ChoicePoint, Westlaw,
Lexis Nexis, Dun and Bradstreet, and credit reporting agencies as
sources for this information.  Reliance on these databases has
increased by 9600 percent since 1992, according to the presentation.
However, one unnamed credit reporting agency is no longer selling
credit header information to law enforcement.

Unrelated documents filed in a federal lawsuit in the Northern
District of Georgia indicate that ChoicePoint is constructing a
"Central Biometric Authority."  According to the complaint filed by
International Biometric Group and ChoicePoint's answer, the central
biometric authority is intended to perform "secure and standardized
acquisition, matching, and indexing of biometric data."  This
biometrics database appears to be in development for ChoicePoint's
expanding employee and volunteer background check services.

FBI Guidance on Use of ChoicePoint:


FBI Presentation on Public Source Information:


Complaint in International Biometric Group v. ChoicePoint:


Answer in International Biometric Group v. ChoicePoint:


[6] News in Brief

Microsoft Passport Flaw Discovered

A computer researcher in Pakistan found a new flaw in Microsoft
Passport that could expose personal information, including credit card
numbers, for 200 million Internet users.  In July and August 2001,
EPIC and a coalition of consumer advocacy groups filed detailed
complaints with the Federal Trade Commission (FTC) concerning the
privacy risks associated with the Passport identification and
authentication system.  The FTC found that Microsoft's representations
about Passport constituted unfair and deceptive trade practices and
settled the action against Microsoft.  The agreement requires that
Microsoft establish a comprehensive information security program for
Passport, and that it must not misrepresent its practices of
information collection and usage.

EPIC's Passport Page:


Senate Holds First Fair Credit Reporting Hearing

The Senate Banking Committee began the first of a series of hearings
to determine whether states should be able to enact laws that provide
greater consumer protection than federal law.  The hearing was held
because one portion of the Fair Credit Reporting Act relating to
preemption of state laws will expire on January 1, 2004, thus paving
the way for states to experiment with different approaches to credit
law.  The sole witness before the committee was Howard Beales,
Director of the FTC's Bureau of Consumer Protection.  While the FTC
has not taken a position on preemption, the agency did describe three
important ways in which credit reporting has changed. First, more
types of businesses are using credit reports.  Second, there is a
greater reliance on prescreening, unsolicited offers of credit or
insurance that are targeted to certain individuals based on their
credit reports.  Last, many businesses are now using credit reports
for risk-based pricing for products and services.

FTC Testimony:


EPIC Preemption Watch Page:


U.S. To Require Biometrics in Visas and Passports

Pursuant to the Homeland Security Act of 2002 the Department of
Homeland Security will introduce the US-VISIT (United States Visitor
and Immigrant Status Indicator Technology) program by the end of 2004.
 The program collects, maintains and shares information, including
biometric identifiers on foreign nationals.  The system is designed to
scan travel documents, take fingerprints and pictures of foreign
nationals to check them against government databases.  Other biometric
identifiers, such as facial recognition and iris scan, are likely to
be introduced by 2005.

Citizens of nations that participate in the Visa Waiver Program will
be asked either to show a national passport that contains biometric
data (fingerprint) or they will be excluded from the waiver program
and have to apply for visa.  The database that will be created under
the US-VISIT program will store all data for an unspecified length of
time and will be shared across all law enforcement agencies.

U.S. VISIT Program Fact Sheet:


[7] EPIC Bookstore: Invisible Punishment

Invisible Punishment; The Collateral Consequences of Mass
Imprisonment, The New Press, ISBN 1-56584-726-1


On any given day in America's capital over 10 percent of
African-American men between the ages of eighteen and thirty-five are
in prison, and over half are under some form of correctional
supervision.  Under current conditions, well over 75 percent of
African-American men in the District of Columbia can expect to be
incarcerated at some time in their lives.  Nationwide a million people
are convicted of felony crimes each year; 450,000 of them are
sentenced to prison.  Incarceration is the predominant mode of crime
control in the United States, as the country follows what appears to
be a social policy of mass imprisonment.

"Invisible Punishment" is a fascinating new book from the Sentencing
Project, a public interest organization that promotes criminal justice
reform and chronicles how the unprecedented expansion of the prison
system over three decades has also brought with it a complex network
of "invisible punishments" affecting families and communities
nationwide.  Federal and state governments impose collateral
punishments for crimes that include denying voting rights, welfare
benefits, public housing, social security benefits, and creating
registration laws.  Private employers have followed suit by
increasingly relying on fingerprinting and background checks for
employment decisions.  As one of the author's argues, "In the modern
welfare state, these restrictions of the universe of social and
welfare rights amount to a variant on the tradition of 'civil death'
in which the offender is defined as unworthy of the benefits of
society, and is excluded from the social compact."

The prison policy has a disproportionate impact on minorities and
raises fundamental questions of justice, fairness, and access to
resources.  In 1980, 40,000 people were in prison for drug possession.
Today, because of the War on Drugs, there are a half million people in
prison on drug charges.  The result of the mass imprisonment policy is
the creation of a large population of felons, concentrated in poor,
minority communities, who are "marked" and "monitored" and cut off
from the supports of modern society.  The authors warn us that, "We
are creating deeper and longer-lasting distinctions between 'us' and
'them.'"  And, of course such a policy produces further inequality by
reinforcing the cycle of diminished expectations for the next

Technologies of identification, record storage and data linkage create
the conditions for invisible punishment to flourish.  David Burnham's
prescient book, "The Rise of the Computer State," discussed these
problems in 1980.  Current information technology, including new
surveillance programs, coupled with the increasing reliance on private
sector database operators such as ChoicePoint that are not accountable
to the public, only exacerbate the problem.  "Invisible Punishment"
challenges us to consider how these practices of exclusion operate
through technology and what we must do to fix our systems to make our
society more fair and just.

- Mihir Kshirsagar


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore

     "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Workshop on Compliance with European Union Data Protection
Requirements. June 2, 2003. U.S. Department of Commerce, TRUSTe and
Oracle Corporation. Oracle Conference Center, 350 Oracle Parkway,
Redwood Shores, CA.

Technologies for Protecting Personal Information. Federal Trade
Commission. Workshop 1: The Consumer Experience. May 14, 2003.
Workshop 2: The Business Experience. June 4, 2003. Washington, DC. For
more information: http://www.ftc.gov/techworkshop/

ITS-2003: Third International Conference on "Information Technologies
and Security."

June 23-27, 2003. Partenit, Crimea, Ukraine. For more information:

Press Freedom on the Internet. The World Press Freedom Committee. June
26-28, 2003. New York, NY.

Building the Information Commonwealth: Information Technologies and
Prospects for Development of Civil Society Institutions in the
Countries of the Commonwealth of Independent States.
Interparliamentary Assembly of the Member States of the Commonwealth
of Independent States (IPA). June 30-July 2, 2003. St. Petersburg,
Russia. For more information:

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For
more information: http://conferences.oreilly.com/oscon/

1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunk
and Science Fiction. August 11-13, 2003. Prague, Czech Republic. For
more information: http://www.inter-disciplinary.net/vhccsf03cfp.htm

Integrating Privacy Into Your Overall Business Strategy: Complying
with Privacy Legislation for Competitive Advantage. International
Quality and Productivity Centre (IQPC Canada). July 9-10, 2003.
Toronto, Canada. For more information:

Chaos Communication Camp 2003: The International Hacker Open Air
Gathering. Chaos Computer Club. August 7-10, 2003. Paulshof,
Altlandsberg, Germany. For more information: http://www.ccc.de/camp/

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and the
Department of Information Systems and Technology, University of
Durban-Westville. September 10-12, 2003. Durban, South Africa. For
more information: http://www.udw.ac.za/www2003/

Making Intelligence Accountable, Oslo, Norway September 19-20, 2003.
The Geneva Centre for the Democratic Control of Armed Forces. For more

Privacy2003. Technology Policy Group. September 30-October 2, 2003.
Columbus, OH. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:
Subscribe/unsubscribe via e-mail:

To: epic_news-request@mailman.epic.org Subject: "subscribe" or
"unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

To: epic_news-request@mailman.epic.org Subject: "help" (no quotes)

Problems or questions? e-mail < info@epic.org>

Back issues are available at: http://www.epic.org/alert/ The EPIC
Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org ,http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140
(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 10.10 ----------------------