EPIC logo

                           E P I C  A l e r t
Volume 10.17                                            August 21, 2003

                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents

[1] Poindexter Resigns, But Legacy of TIA Remains
[2] Tampa Police Drop Failing Face Recognition System
[3] CA Passes Strongest Financial Privacy Standard in the Nation
[4] EPIC Releases Fact Sheet on Homeless Tracking Systems
[5] Maryland Governor Orders Audit of Electronic Voting Machines
[6] News in Brief
[7] EPIC Bookstore: Protecting Your Money, Privacy and Identity
[8] Upcoming Conferences and Events

[1] Poindexter Resigns, But Legacy of TIA Remains

Retired Admiral John M. Poindexter has resigned from his position as
head of the Defense Advanced Research Projects Agency's Information
Awareness Office.  In a strongly-worded and unapologetic resignation
letter, Poindexter defended his office's controversial projects,
including its plans for an online futures market for predicting
terrorist attacks and its Total Information Awareness (TIA) system. 
He dismissed mounting criticism from both government officials and
citizens as the result of misunderstanding, misrepresentation by
media, and a "highly-charged political environment."

Poindexter insisted that the Total Information Awareness project -- a
surveillance system employing a centralized global database of
individuals' personal data -- was not a threat to privacy. "We never
contemplated spying and saving data on Americans," wrote Poindexter. 
"We only wanted to find specific patterns of activities that would
lead us to foreign terrorists."

While Poindexter's resignation, and severely curtailed funding for the
project, leave the future of TIA in doubt, a new state-level system in
Florida may serve much the same function.  Police agencies in the
state are currently developing a centralized database surveillance
system similar in structure to TIA, with funding assistance from both
the Justice Department and the Department of Homeland Security.  The
system, dubbed Matrix, would enable investigators to find patterns and
links among people and events using a combination of police records
and commercially available personal data.  At least 135 police
agencies have signed up for the service, which is poised to expand to
other states across the country.

The text of Poindexter's resignation letter is available at:


More information about the TIA system is available at EPIC's Total
Information Awareness Page:


Read more about Florida's new centralized Matrix surveillance system
at "U.S. Backs Florida's New Counterterrorism Database," Washington
Post, August 6, 2003:

[2] Tampa Police Drop Failing Face Recognition System

The Tampa Police Department has abandoned the face recognition
software used in conjunction with its video surveillance cameras,
citing the system's failure to recognize anyone wanted by the
authorities over a two-year period.  Tampa authorities first used the
technology during the 2001 Super Bowl -- without any success -- when
they systematically scanned every attendee's face to compare it with a
list of suspects' mug shots.  The system used in Tampa never led to
any arrests or positive identifications, though occasionally wrongly
identified innocent people as wanted felons.

Face recognition technology is one of the tools used in biometrics,
the science of identifying people using parts of their bodies. 
Coupled with video surveillance, the technology captures "signatures"
of faces on high-resolution cameras and compares them with mug shots
in police databases, which generally include people with outstanding
felony warrants, and those on the FBI's "most wanted" list and
terrorist watchlists.

Face recognition technology has never been proved to be reliable.
Studies sponsored by the U.S. Department of Defense have shown the
system is accurate only fifty-four percent of the time and can be
significantly compromised by changes in lighting, weight, hair,
sunglasses, subject cooperation, and other factors.  Likewise, tests
on the face recognition systems in operation at Palm Beach Airport in
Florida have shown the technology to be ineffective and error-ridden,
leading authorities to forego use of face-recognition equipment.  In
Virginia Beach, Virginia, police use of the technology has not
resulted in the apprehension of a single wanted person in over a year.

In Washington, DC, the Metropolitan Police Department (MPD) two years
ago began installing a wide network of cameras without prior
authorization from the City Council.  Last year, under pressure from
Congress, the Council and civil liberties organizations, the MPD
agreed to comply with a set of video surveillance guidelines.  The
guidelines do not, however, regulate the use of facial recognition
tools.  Although the technology apparently has never been used in
conjunction with the DC cameras, nothing would prevent the police from
doing so; the MPD has always left open that possibility and has
acknowledged that its cameras could easily operate with face
recognition tools.  A bill pending in the DC Council would flatly
prohibit any use of face recognition technology without specific
legislative authorization.  The United States Park Police, a federal
agency with jurisdiction over DC's federal lands, recently released a
"Closed Circuit Television Policy" that leaves open the possibility of
using the technology with its cameras located on the Mall and other
federal areas of the nation's capital.

More information about video surveillance is available at:

More information about face recognition is available at:


Information about EPIC's Observing Surveillance project is available


[3] CA Passes Strongest Financial Privacy Standard in the Nation

California will soon have the strongest financial privacy protections
in the country as the result of the passage of SB 1, the California
Financial Information Privacy Act.  Introduced by State Senator Jackie
Speier (D-San Mateo), passage of the bill followed a critical
compromise among the bill's sponsors, privacy advocates, and the
financial services industry.  Governor Gray Davis is expected to sign
the bill into law within the next ten days, which will end a four-year
debate in the State on financial privacy and the progress of a
stronger initiative movement that would have required opt-in for all
disclosures of personal information.

Under the federal Gramm-Leach-Bliley Act, financial services companies
must give notice of their privacy policies and allow individuals to
opt out of information sharing among non-affiliated companies.
Accordingly, financial services companies can transfer information
amongst corporate affiliates over a customer's objection, and can
fashion "joint marketing" agreements to circumvent the wishes of
individuals who opt out.

Under the new law, Californians will be able to opt out of some
affiliate sharing, and opt-in will be required before financial
services companies sell information to non-affiliates.  Certain
affiliates -- those regulated by the same agency and that operate in
the same line of business -- will be able to transfer data even if a
customer opts out.  The bill requires financial institutions to
provide consumers with a self-addressed envelope for opting out.
Institutions will not be able to deny services to those who choose to
restrict the exploitation of personal information.

The ultimate fate of these protections is unclear.  A recent decision
in Bank of America v. Daly City (see EPIC Alert 8.16) struck down
regulations of affiliate sharing enacted by several California cities.
It is likely that the financial services industry, despite agreeing
not to oppose SB 1, will file suit to have the affiliate sharing
provisions invalidated.  The impending suit should not affect
provisions of the law on notice and non-affiliate sharing.

However, Congress could take action this fall, and apply the
California standard to the entire country when considering amendments
to the federal Fair Credit Reporting Act.

The text of SB 1 is available at:


More information about the Gramm-Leach-Bliley Act is available at:


More information about the Fair Credit Reporting Act is available at:


Additional information about federal financial privacy law is
available at:


[4] EPIC Releases Fact Sheet on Homeless Tracking Systems

EPIC has published a fact sheet on Homeless Management Information
Systems (HMIS) (see EPIC Alert 10.16).  HMIS are database systems that
the Department of Housing and Urban Development (HUD) is requiring
shelters to maintain.  Under the proposed guidelines, federally funded
shelters and other care organizations will be required to collect
unique identifiers, as well as physical and mental health information
on each benefits recipient.  There are specific provisions that
require the collection of HIV and pregnancy status.

Homeless tracking presents a number of privacy and civil liberties
concerns.  First, HMIS lays the infrastructure for a nationwide system
of homeless tracking.  The proposed guidelines mandate consistency in
data collection, and the ability to export all data in the system to a
common format.  This raises substantial risks for those living with
HIV, physical or mental health disabilities, or others who have
conditions that potentially subject them to stigma or discrimination.

Second, government access to the database is nearly unlimited.  Under
the proposed guidelines, system users can disclose information from
the database to Secret Service or agents of a national security agency
without any showing of an emergency, a court order, or even a risk of
attack.  Law enforcement access is more limited, but nevertheless, HUD
is not requiring police to obtain warrants or court orders before
releasing HMIS data.

Third, HMIS places victims of domestic violence at heightened risk of
harm.  Many victims flee violent partners by staying in shelters, and
HMIS may provide opportunities for malicious actors to locate their

The EPIC fact sheet argues that HUD should seek less invasive
alternatives to evaluate the effectiveness of benefits and support for
the poor.  For instance, HUD could perform a census on a specific day
to obtain an unduplicated count of the homeless staying in particular
shelters.  Such a census would not require the collection of personal
identifiers or tracking over time, and would be less expensive.

The public can comment on HMIS until September 22, 2003 by mail to
HUD.  No provision for electronic or fax submissions has been
arranged.  Comments should be addressed to:

Michael Roanhouse
Re: Doc. No. FR 4848-N-01 / HMIS Data
Office of Special Needs Assistance Programs
Office of the Assistant Secretary for Community Planning and
Room 7262  HUD
451 7th St. SW
Washington, DC 20410

EPIC's Homeless Tracking Fact Sheet is available at:


HUD's proposed HMIS Guidelines are available at:


More information about privacy and the homeless is available at:


[5] Maryland Governor Orders Audit of Electronic Voting Machines

Less than two weeks after Johns Hopkins University computer scientists
released a report criticizing security flaws in Diebold voting
machines (see EPIC Alert 10.16), Maryland Governor Bob Ehrlich has
ordered an independent review of the 11,000 touch-screen AccuVote-TS
voting machines that the state of Maryland agreed to purchase from
Diebold for $55.6 million. Maryland officials had intended the
electronic voting system to be used in the presidential primary
election next spring.

Maryland retained Science Application International Corporation, an
international computer security firm, to evaluate the Diebold machines
and their proprietary code.  If the firm is not satisfied with the
machines' security, the state may request that Diebold make
improvements or cancel the purchase altogether.

Ehrlich's order supports the position of a Maryland state panel that
asked the state not to purchase new voting technology without a better
understanding of its accuracy and security risks, a request which
Maryland denied.  State elections board officials expressed little
interest in delaying the purchase prior to Ehrlich's order, claiming
that state and federal law require Maryland to improve its voting
systems as soon as possible.

The Johns Hopkins researchers' study concluded last month that
AccuVote-TS voting machines, the same machines Maryland agreed to
purchase from Diebold, could be easily manipulated by hackers, voting
insiders and others to produce skewed voting results.

The press release from Governor Ehrlich's office announcing the review
order is available at:

The Johns Hopkins researchers' report "Analysis of an Electronic
Voting System" is available at:


More information about electronic voting is available at:


[6] News in Brief

Mississippi District Installs Webcams in Classrooms

A school district in Biloxi, Mississippi became the first in the
nation to install a system of Internet-wired video cameras, nearly 500
total, to monitor its classrooms and hallways 24 hours a day.  The
district, which enrolls 6,300 students, cited security concerns as the
basis for its camera use.  Only designated school officials and
security personnel are permitted to view the images, which can be
displayed on computers linked to the Internet.  Other school districts
in the U.S. and Britain are beginning to experiment with classroom
webcams, as well.

Additional information about student privacy is available at:


Presidential Commission Proposes Monitoring Mail

The President's Commission on the Postal Service has recommended that
the postal agency collaborate with the Department of Homeland Security
to study the development of sender-identification requirements for all
mail.  A proposed system, called "Intelligent Mail," would use
tracking codes to verify who sends and receives mail. The commission
cited the system as a way to improve the security of the postal
network, as well as a means of enabling businesses and consumers track
their mail.  Critics, however, warn that eliminating the ability to
send anonymous mail could infringe on individual privacy rights.

The final report of the President's Commission on the Postal Service
is available at:


EPIC Introduces Five New Web Pages

The Electronic Privacy Information Center has added five new web pages
to its site, focusing on RFID tags; credit scoring; polygraph testing;
the Privacy Protection Act of 1980; the Right to Financial Privacy
Act; and privileges.  In addition, privacy.org provides a daily update
of new developments on privacy-related issues.

EPIC's new RFID Page is available at:


EPIC's new Credit Scoring Page is available at:


EPIC's new Polygraph Testing Page is available at:


EPIC's new Privacy Protection Act of 1980 Page is available at:


EPIC's new Right to Financial Privacy Act Page is available at:


EPIC's new Privileges Page is available at:


For up-to-date news on new developments on privacy-related issues,


[7] EPIC Bookstore: Protecting Your Money, Privacy and Identity

Jim Gaston & Paul Wing: Protecting Your Money, Privacy and Identity
from Theft, Loss and Misuse (The Canadian Institute of Chartered
Accountants 2003).


There is no lack of writing and warnings out there about the need to
protect yourself and your assets these days, but it is hard to find a
book you would give your aging mother to read to help her get up the
courage to bank online.  This new publication, although focused on the
Canadian environment, is a very useful contribution to the literature.

We still long for the republication and updating of the now
out-of-print classic "The Privacy Rights Handbook: How to Take Control
of Your Personal Information," by Beth Givens of the Privacy Rights
Clearinghouse, but there is no sign of that happening soon.  In the
meantime, Gaston and Wing have done a great job of organizing the
daunting task of protecting your own personal information.  They are
banking and Internet security experts, and have included a number of
useful tips about everyday e-commerce tasks.  This is a calm and sober
walk through the mysteries of protecting your personal information,
with a family perspective.

There is a certain amount of repetition in the book, because it is
organized into chapters which naturally have overlap (sensitive
information at home and away, communications and transactions, debit
cards and credit cards, seven chapters on all aspects of protecting
your computer, your transactions, your email, etc.).  Activities are
rated in terms of risk, and there are summaries of "Practical Steps to
Protect Yourself" in each chapter under each theme, such as dealing
with telephone inquiries, sending and receiving faxes, and using
wireless connections.  More computer literate readers will doubtless
argue with some of the advice, or complain that it is not detailed
enough.  This book is aimed at the general reader, though, and one of
the biggest problems we have to deal with in teaching good privacy and
security practices is the fact that the average user is very easily
overwhelmed by technical information.

There are useful workbooks at the back of the book, and a short
glossary.  The book could be more useful for the reader who wants to
learn more if it included a bibliography for further reading.  There
is no discussion of the problems of particular platforms, hardware and
software -- obviously a deliberate choice -- but there is no question
these decisions make a difference to risk.  Finally, once everyone
follows the advice and gets virus scanners and firewalls, managing
them could be dealt with in more detail.

--Stephanie Perrin


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore

     "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Voting Machines: A Threat To Democracy?  The Ethical Society.
September 7, 2003.  Philadelphia, Pennsylvania.  For more information:

Surveillance and Privacy 2003:  Terrorists and Watchdogs.  Baker &
McKenzie Cyberspace Law and Policy Centre and University of New South
Wales Law Faculty.  September 8-9, 2003.  Sydney, Australia.  For more
information: http://www.bakercyberlawcentre.org/2003/Privacy_Conf/

25th International Conference of Data Protection and Privacy
Commissioners.  September 10-12, 2003.  Sydney, Australia.  For more
information: http://www.privacyconference2003.org/

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and the
Department of Information Systems and Technology, University of
Durban-Westville.  September 10-12, 2003.  Durban, South Africa.  For
more information: http://www.udw.ac.za/www2003/

Making Intelligence Accountable,  September 19-20, 2003.  Oslo,
Norway. The Geneva Centre for the Democratic Control of Armed Forces.
For more information:

The State of Accountable Government in a Surveillance Society.  Office
of the Information and Privacy Commissioner for British Columbia.
September 25-26, 2003.  Victoria, British Columbia.  For more
information:  http://www.oipc.bc.ca/anniversary/

Privacy2003.  Technology Policy Group.  September 30-October 2, 2003.
Columbus, OH.  For more information:

UbiComp 2003 Privacy Workshop.  October 12, 2003.  Seattle, WA.  For
more information:

Getting the Technology You Deserve:  Community Participation in
Regional Cable Franchise Policy.  Computer Professionals for Social
Responsibility.  October 25, 2003.  Seattle, Washington.  For more
information: http://www.cpsr.org/conferences/annmtg03/

ICANN Meeting.  Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003.  Carthage, Tunisia.  For more information:

RFID Privacy Workshop.  Massachusetts Institute of Technology.
November 15, 2003.  Boston, Massachusetts.  For more information:

Localizing the Internet: Ethical Issues in Intercultural Perspective.
International Center for Information Ethics.  October 4-6, 2004.
Karlsruhe, Germany.  For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:


Subscribe/unsubscribe via e-mail:

     To: epic_news-request@mailman.epic.org
     Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)

Problems or questions? e-mail < info@epic.org >

Back issues are available at: http://www.epic.org/alert/

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140
(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 10.17 ----------------------