EPIC logo

                          E P I C  A l e r t
Volume 10.15                                              July 22, 2003

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


Table of Contents

[1] Senate Requires Reporting For CAPPS II; Extends TIA Moratorium
[2] EPIC Testifies on Credit Reporting Privacy, Inaccuracy
[3] First HIPAA Privacy Enforcement Details Reported
[4] U.S. Park Police Releases Video Surveillance Policy
[5] RFID PR Revealed; Wal-Mart Cancels Major RFID Effort
[6] EPIC Testifies on Use and Misuse of the Social Security Number
[7] EPIC Bookstore: "Censorship Inc."
[8] Upcoming Conferences and Events

[1] Senate Requires Reporting For CAPPS II; Extends TIA Moratorium

On July 10, the Senate voted to withhold funding for the Computer
Assisted Passenger Prescreening System (CAPPS II) until the
Transportation Security Administration (TSA) provides more information
about procedural and technological safeguards in the program.  The
provision is included in the Senate version of the Homeland Security
appropriations bill.

CAPPS II would allow the government to evaluate the security threat an
individual poses by analyzing personal information about that person.
Information could be collected from credit reports, public records,
and criminal records, among other sources.  Passengers labeled a high
threat would not be permitted to fly.

The Senate version of the bill prohibits the TSA from using any
funding from the Act "for testing (other than simulations),
deployment, or implementation of [CAPPS II]."  The Senate prohibition
would remain in effect until the TSA reports to the Government
Accounting Office and Congress on the status of the following aspects
of the program: any system of due process for correcting erroneous
information; the error rate of the system; evidence of "efficiency and
accuracy"; an internal board to oversee development; safeguards
against abuse; safeguards against hackers; policies providing
effective oversight of the implementation of the program; and absence
of any privacy concerns with the technology employed.

The House version of the spending bill contains no specific reference
to CAPPS II; a conference committee must reconcile the two versions.

The Senate has also voted to suspend funding for the equally
controversial Terrorism Information Awareness (TIA) program as part of
the Department of Defense appropriations bill.  TIA is intended to
capture every person's "information signature" through the collection
and compilation of records regarding their activities.  With vast
databases of information signatures, the government would use
algorithms to track potential terrorists and criminals.

While the Senate version of the spending bill  would provide no
funding for TIA, the House version instead would ban the use of such
technology on U.S. citizens without congressional authorization.  A
conference committee will work out the differences between the Senate
and House versions of the spending bill.

The Senate version of the Homeland Security appropriations bill is
available at:


More information about CAPPS II is available at EPIC's Air Travel
Privacy Page:


More information on Terrorism Information Awareness is available at
EPIC's TIA Page:


[2] EPIC Testifies on Credit Reporting Privacy, Inaccuracy

On July 9, the House Committee on Financial Services held an extensive
hearing on H.R. 2622, the Fair and Accurate Credit Transactions Act
(FACT Act).  EPIC Deputy Counsel Chris Hoofnagle was among the
witnesses who testified at the hearing.

EPIC's testimony focused on preserving state legislative and
enforcement authority in credit regulation.  Hoofnagle argued that
states have historically enacted the best privacy protection, and
treating the FCRA as a federal ceiling is an aberration.  As
"laboratories of Democracy," states are in an advantageous position to
create innovative privacy protections, and they are better situated
than Congress to quickly address problems.  An additional area of
focus was affiliate sharing, as large banks can now exploit
information inside their "corporate families."  Because affiliate
sharing allows financial institutions to share personal information
about their customers without restrictions, it directly increases risk
of identity theft and fraudulent marketing.

Consumer advocate Stephen Brobeck of the Consumer Federation of
America also argued that the bill does not adequately address the
major problems in credit reporting, such as the mismerged file that
occurs when two individuals files are combined into one report.
William Springs of the National Urban League and Hillary Shelton of
the NAACP also testified on behalf of consumers.  Mr. Shelton argued
that, under the current credit scoring system, minorities in all
economic categories are disproportionately targeted with predatory and
sub-prime lending.

In a separate letter to the Senate Banking Committee, EPIC presented
evidence that systemic inadequacies at the Credit Reporting Agencies
(CRAs) contribute to inaccuracy and consumer frustration.  For
instance, at one CRA, representatives are required to complete 100
consumer inquiries a day, giving them just four minutes per inquiry.
The letter urges Congress to give consumers free and complete access
to their reports.

EPIC's Testimony on H.R. 2622 is available at:


EPIC's Letter on CRA Inaccuracy is available at:


[3] First HIPAA Privacy Enforcement Details Reported

Three months after the Health Insurance Portability and Accountability
Act (HIPAA) Privacy Rule became effective, the first updates on
enforcement activities reflect the law's early implementation

On June 24, the Office for Civil Rights (OCR), which is responsible
for the enforcement of the Privacy Rule within the Department of
Health and Human Services, provided an update to the National
Committee on Vital and Health Statistics (NCVHS), a public advisory
body to the Secretary of Health and Human Services.  Stephanie
Kaminsky of OCR testified that the office received 637 complaints
prior to the hearing date.  Of those, OCR had closed 124 cases and 513
remained open.  A total of 260 cases were accepted for investigation
after OCR determined that the complaint dealt with an issue, time
frame and entity over which OCR has proper jurisdiction.  No cases
have been referred to the Justice Department for criminal prosecution.
Complaints to the OCR have raised such issues as the inability of
individuals to access their information, inadequate safeguards for
health information, deficient provision of Notice of Privacy
Practices, and insufficient minimum necessary procedures to limit
disclosure in provider offices and facilities.

OCR has repeatedly stated that its enforcement goals are to promote
voluntary compliance within the health care sector and to handle most
complaints by providing technical assistance to the entity involved.
Despite assurances that such assistance will be the primary means of
enforcement, many health care organizations have become wary about
disclosing information when civil and criminal penalties might follow.
In an early July congressional briefing sponsored by the Healthcare
Leadership Council, some organizations stated that they are delaying
the use of e-mail and other communication technologies for
transmitting information to patients.  The delays are apparently
caused by the need to have appropriate verification procedures and
encryption in place to ensure that the information does not go astray.

Privacy Rule compliance and enforcement will remain prominent issues
over the next year as OCR refines the substantive portion of the
Enforcement Rule.  The interim procedural Rule is set to expire in
September 2004.

Office for Civil Rights in the Department of Health and Human


National Committee on Vital and Health Statistics:


For more information, see EPIC's Medical Privacy Page at:


[4] U.S. Park Police Releases Video Surveillance Policy

The U.S. Park Police (USPP) recently released guidelines on the use of
its video surveillance system in Washington, DC.  The policy was
formulated in response to critiques by Congress and the DC City
Council more than a year ago that the USPP was not forthcoming about
its use of video cameras, and should make public a policy on its
camera surveillance of Monumental Core of the nation's capital.  For
more than a year, the USPP has been constantly monitoring federal
public spaces with undisclosed cameras without notifying the public,
with few privacy safeguards in place and with little public oversight.

Last year the Metropolitan Police Department of the District of
Columbia (MPDC) was also urged by Congress, the DC City Council and
civil liberties groups to establish a video surveillance policy that
would address privacy and freedom of speech concerns after the MPDC
installed cameras without notifying the public or obtaining budget
approval.  Although the USPP's current guidelines constitute a good
starting point, they are generally more invasive than the MPDC's
guidelines, providing for 24-hour, seven-day-a-week surveillance, and
retention of records for six months.  The USPP guidelines are less
detailed than those implemented by the MPDC and do not provide for any
effective oversight and accountability mechanisms.  The USPP
guidelines also do not exclude later use of face recognition

Furthermore, the USPP guidelines are based on the assumption that
video surveillance is effective to detect and prevent terrorist
attacks, as well as deter criminal activity -- a claim which has never
been proved to be true.  In fact, a reference meta-study conducted on
the effectiveness of law enforcement use of video surveillance in the
United Kingdom and the United States clearly shows no strong evidence
that cameras in center city and residential areas deter criminals or
offer any value as a crime-fighting tool.  Further, the United
Kingdom, which originally justified the installation of video cameras
in response to a terrorism threat, has never caught a single
terrorist, even after installing more than 1,500,000 cameras
throughout the country during the last ten years.

A recent report from the General Accounting Office questions the
secret surveillance by the Park Police and points to the USPP's lack
of public transparency and openness.  The USPP's guidelines are
subject to public comments.

USPP's CCTV Policy (June 2003) is available at:


EPIC's Video Surveillance Page is available at:


The UK government study on law enforcement use of video surveillance
is available at:


The General Accounting Office's recent report on video surveillance is
available at:


[5] RFID PR Revealed; Wal-Mart Cancels Major RFID Effort

Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN)
recently located internal public relations documents detailing how
Radio Frequency Identification (RFID) developers plan to offset public
opposition to the widespread implantation of the tracking devices in
consumer products.  The documents, prepared by Fleishman-Hillard, a
public relations consultancy, detail how such a campaign may unfold. 
First, the documents outline the obstacles that hinder widespread
implementation of RFID technology, including the desire of consumers
to protect their privacy and cynicism about public and private sector
concern for consumer privacy.  The documents cite the need for the
development of a proactive plan that would "neutralize opposition" and
"mitigate possible public backlash."  One proposed method of doing so
is through the creation of a Privacy Advisory Council made up of "well
known, credible, and credentialed experts" who may be "potentially
adversarial advocates."  The documents cite EPIC as an example of a
potential council member.

In related news, retail giant Wal-Mart announced on July 9 that it is
shelving plans to tag consumer products with RFID chips, after it had
urged 100 of its top suppliers to begin tagging products by 2005. 
Wal-Mart had joined forces with Gillette to develop a "smart-shelf"
system, where shelves outfitted with RFID readers would track Gillette
products.  The RFID sensors would alert a store manager when inventory
ran low or a high-theft item was removed from the shelf.  A Wal-Mart
spokesperson said the smart-shelf system, expected to launch at a
store in Brockton, MA, was never fully installed, and materials from
the project have been removed.

Although Wal-Mart says the move simply reflects a corporate decision
to implement RFID technology in warehouses and distribution centers
instead of retail stores, concerns about the misuse of data gleaned
from the tracking devices have prompted a public outcry against the
technology.  Wal-Mart is not the only corporation to forego implanting
consumer products with RFID tags in the wake of public pressure.
Italian clothier Benetton halted plans to tag its apparel after
privacy advocates called for a worldwide boycott of the company's

RFID systems enable data to be transmitted by a portable device,
called a tag, which is read by an RFID reader and processed according
to the needs of a particular application.  The data transmitted by the
tag may provide identification or location information, or specifics
about the product tagged, such as price, color, date of purchase, etc.
 Chips integrated into commonplace products such as floor tiles, shelf
paper, cabinets, appliance, exercise equipment, and grocery and
packaged products would allow even our most intimate activities to be
monitored.  Many technology experts already predict the development of
a seamless network of millions of RFID receivers strategically placed
around the globe in airports, seaports, highways, distribution
centers, warehouses, retail stores, and consumers' homes, all of which
are constantly reading, processing, and evaluating consumers'
behaviors and purchases.

Consumers Against Supermarket Privacy Invasion and Numbering


RFID Developers Internal Public Relations Documents are available at:


EPIC's RFID Page is available at:

[6] EPIC Testifies on Use and Misuse of the Social Security Number

On July 10, the House Subcommittee on Social Security of the Committee
on Ways and Means held a hearing on the need to prevent Social
Security Number (SSN) misuse.  Led by Chairman E. Clay Shaw, Jr.
(R-FL), the hearing focused on the widespread use and misuse of SSNs
in the public and private sectors.  Chairman Shaw announced that the
committee would be introducing new legislation shortly addressing a
variety of SSN issues.  The hearing also examined legislative
proposals aimed at combating SSN misuse and protecting privacy, as
well as the potential ramifications of these proposals on businesses,
consumers, and the government.

In his testimony, EPIC Deputy Counsel Chris Jay Hoofnagle reviewed
historical and recent attempts to regulate the use of the SSN. Stating
that there is ample legislative and judicial support for imposing
limitations on the collection and use of the SSN, Hoofnagle asserted
that consumers are often forced to reveal their SSNs to obtain goods
and services, a practice called "coercive disclosure." Hoofnagle then
described trends involving the SSN, including the statistical rise in
identity theft complaints, the increasing occurrence of large-scale
identity thefts, and the frequent use of the SSN in the private
sector.  He argued that the SSN use regulation is the key to
preventing identify theft.

Hoofnagle recommended that the Committee consider the Social Security
Number Privacy and Identity Theft Protection Act of 2001, 107 H.R.
2036, a guide to limiting the use of the SSN.

Other panelists included Barbara Bovbjerg, the Associate Director of
the General Accounting Office; James G. Huse, Jr., the Inspector
General of the Social Security Administration; Theodore Wern of the
Identity Theft Resource Center, and Steve Edwards of the Georgia
Bureau of Investigations.

Bovbjerg testified on the public and private sector use of the SSN,
and explained how easy it is to obtain false identification through
the SSN by citing a study in which the GAO acquired a false state
driver's license and a false social security card.  Bovbjerg also
emphasized the fact that replacement SSN cards are easily obtained and
can be sold.  Congressman Becerra discussed the possibility of
third-party verification of personally identifying documents such as
the social security card and the driver's license to protect against
fraudulent documents.  Inspector General Huse encouraged limiting the
availability of the SSN on public documents, and stressed that the use
of the SSN as a personal identifier for the private sector is
unnecessary (an idea that proved to be a recurring theme throughout
the hearing).  Wern testified on various forms of identity theft he
has seen through his resource center, focusing on the theft of
children's identities and those of military personnel.  Wern argued
that the SSN is the "golden piece of information" for identity
thieves, and with a name and birth date, one can easily destroy an
individual's credit.

EPIC's Testimony on SSN Misuse is available at:


July 10 Ways and Means Hearing on Use and Misuse of SSN:

[7] EPIC Bookstore: "Censorship Inc."

Lawrence Soley, Censorship Inc., The Corporate Threat to Free Speech
in the United States (Monthly Review Press 2002).


In his review of First Amendment cases, Lawrence Soley argues that the
Supreme Court has created a broad bundle of free speech rights against
government suppression of expression.  Now lawmakers and the courts
should turn to the private sector to grant limited First Amendment
protections against business censorship.  He catalogs the broad array
of censorial powers possessed by private entities -- including product
defamation lawsuits, massive retailers that ban books and music from
stores, and the lack of expressive rights at properties open to and
subsidized by the public.  "Because such tactics are widely used to
restrict speech," Soley argues, "businesses now pose a greater threat
to free speech than government."

We live in a world with increasingly powerful private entities, ones
that operate our meeting places and communities.  For instance,
today's equivalent of the Forum is the modern shopping mall.  But most
mall operators do not allow free speech, and courts in most states
don't require it.  Further, mall owners can surround their buildings
with massive parking lots, insulating the shopper from the possibility
of being exposed to the inconvenient ideas presented by protestors. 
We should consider whether we have lost something as a society when
our principal meeting places are insulated from all messages except
the commercial.

Soley gives special attention to the censorial efforts of the
advertising industry.  He introduces the topic with a quote from
legendary journalist and editor George Seldes.  I've never heard a
media lawyer ever utter his name, but he should be on our minds
because he accepted no advertising and, as a result, was free to fully
cover the misdeeds of big business and tobacco long before
ad-dependent mass media could.  Soley shows that large advertisers
effectively place prior restraints on content by pulling accounts
where publications even mentioned cancer, spoke of the availability of
non-smoking flights, or covered homosexual lifestyles.  Revlon even
pulled advertising in an issue of one magazine because the cover bore
the faces of women sans makeup.  Addressing these issues is difficult
because the modern newspaper now contains more advertising than news,
and derives its profits from advertising rather than subscriptions.

Nevertheless, we could have a freer future with limited First
Amendment protections against private actors.  Soley's book pushes us
in that direction, towards greater employee rights, free expression
for artists and musicians, and for political organizing.

--Chris Jay Hoofnagle                


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore

     "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunk
and Science Fiction.  August 11-13, 2003.  Prague, Czech Republic.
For more information:

Chaos Communication Camp 2003: The International Hacker Open Air
Gathering.  Chaos Computer Club.  August 7-10, 2003. Paulshof,
Altlandsberg, Germany.  For more information: http://www.ccc.de/camp/

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and the
Department of Information Systems and Technology, University of
Durban-Westville.  September 10-12, 2003.  Durban, South Africa.  For
more information: http://www.udw.ac.za/www2003/

Making Intelligence Accountable, Oslo, Norway September 19-20, 2003.
The Geneva Centre for the Democratic Control of Armed Forces.  For
more information:

Privacy2003.  Technology Policy Group.  September 30-October 2, 2003.
Columbus, OH.  For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:


Subscribe/unsubscribe via e-mail:

     To: epic_news-request@mailman.epic.org
     Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)

Problems or questions? e-mail < info@epic.org >

Back issues are available at: http://www.epic.org/alert/

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140
(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 10.15 ----------------------