EPIC logo

                            E P I C  A l e r t
Volume 10.18                                          September 4, 2003

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Releases 2003 Privacy and Human Rights Report
[2] Passenger Profiling Information Sought in New EPIC FOIA Suit
[3] EPIC and Friends File Brief In Supreme Court Privacy Case
[4] FTC Releases Identity Theft Statistics
[5] Federal Court Invalidates Washington Phone Privacy Rules
[6] Congress to Consider Critical Affiliate Sharing Privacy Issues
[7] EPIC Bookstore: The Governance of Privacy
[8] Upcoming Conferences and Events

[1] EPIC Releases 2003 Privacy and Human Rights Report

The Electronic Privacy Information Center (EPIC) and Privacy
International will release the sixth annual Privacy and Human Rights
survey this Friday, September 5.  The report reviews the state of
privacy in over fifty-five countries around the world.  It is the most
comprehensive report on privacy and data protection ever published.
The report will be released at a press conference at the National
Press Club in Washington, DC.

Privacy and Human Rights 2003 documents several new challenges and
developments in the international privacy arena in the past year.
Advancements in technology, combined with a shifting international
political climate, have set the stage for increased government
experimentation with new systems of surveillance, affecting many
fundamental human rights, including privacy.  Under the banner of
anti-terrorism, several nations have implemented traveler profiling
tools and databases, and new systems of identification.  Most
prominent among these is the United States' CAPPS II system, an
airline passenger profiling system that uses passengers' personal data
and records in an attempt to detect potential security threats.

Other surveillance methods gaining prominence include the use of
biometrics and computerized national ID databases and cards.
Biometrics -- the science of using physical identifiers such as
fingerprints, iris/retina, or facial patterns -- has received
increasing attention from governments and law enforcement agencies in
the past year.  Several nations are also developing new identification
and authentication systems, such as smart cards and digital
identification cards.  Japan launched a computerized national ID
system which compiles the personal data of residents into a
centralized national database that can be accessed by the government.
Other countries, including Austria, Belgium, Germany, Hong Kong,
Russia and Spain are establishing similar systems.

The WHOIS database is another system threatening privacy rights.
Originally intended to allow network administrators to find and fix
problems with minimal hassle to maintain the stability of the
Internet, it now exposes the personally identifiable information of
domain name registrants' to spammers, stalkers, criminal
investigators, and copyright enforcers.

But while nations have taken advantage of the unstable international
environment to promote privacy-endangering policies, individuals and
advocacy groups have made headway in opposing many of these efforts.
In the United States, public outcry over the Pentagon's Total
Information Awareness program led to a curb in its funding and the
eventual resignation of the program's chief, retired admiral John
Poindexter.  In Taiwan, a coalition successfully fought against a
next-generation national ID system.  In Canada, advocacy efforts led
to a modification of a government data gathering scheme on travelers
entering the country.

The 2003 Privacy and Human Rights press conference will be held at 1
p.m. ET on Friday, September 5, at the National Press Club in
Washington D.C.  There will be a live web cast which can be accessed
from EPIC's website.

To learn more about the report or purchase copies go to:


To access the webcast go to:


[2] Passenger Profiling Information Sought in New EPIC FOIA Suit

EPIC today filed suit against the Transportation Security
Administration (TSA) in federal district court seeking the immediate
disclosure of information concerning the development of the
government's controversial passenger profiling program.  The lawsuit
alleges that the TSA has failed to comply with the disclosure
requirements of the Freedom of Information Act.  EPIC argues that the
TSA's immediate disclosure of information about the enhanced Computer
Assisted Passenger Prescreening System (CAPPS II) is crucial because
public comments on a TSA Privacy Act Notice are due September 30, and
the public needs as much information about the system as possible to
submit effective, meaningful responses.  EPIC has asked the court to
issue an emergency order requiring disclosure.

The subject of the lawsuit is EPIC's request for "Capital Asset Plan
and Business Case" (Exhibit 300) materials on CAPPS II that the TSA
has prepared for the Office of Management and Budget (OMB), and any
privacy impact assessments the TSA has conducted on CAPPS II.  The OMB
requires agencies seeking funding for projects to submit an Exhibit
300, which requires, among other things, an evaluation of privacy and
security risks that a project might pose.  Furthermore, the
E-Government Act of 2002 requires agencies to prepare a privacy impact
assessment before developing or procuring information technology that
collects, maintains or disseminates identifiable information.

While the TSA has repeatedly assured the public that CAPPS II will
respect the privacy rights of air passengers, it has not disclosed any
internal documents assessing the potential privacy or civil liberties
impact of the program.  In March, EPIC requested from the TSA any
privacy assessments of CAPPS II, as well as information from the DOD
concerning Pentagon involvement in the screening system.  Neither
agency processed the requests within the time frame set out by the
Freedom of Information Act, despite their agreement to "expedite" the
process.  In response, EPIC filed an earlier lawsuit in June against
the TSA and DOD, which is still pending.

The TSA CAPPS II Notice is available at:


More information about CAPPS II is available at EPIC's Air Travel
Privacy Page:


[3] EPIC and Friends File Brief in Supreme Court Privacy Case

Along with twelve privacy organizations and nineteen scholars and
technical experts, EPIC has filed an amicus brief in Doe v. Chao, a
case in which the Supreme Court will consider what proof an individual
must show to recover the minimal $1000 damages the Privacy Act
provides when the government unlawfully discloses that individual's
Social Security Number (SSN).  The "friend of the court" brief argues
that those who suffer adverse effects as a result of wrongful SSN
disclosure should be awarded damages, and should not have to prove
actual, tangible harm to recover.

In this case, the Department of Labor was sued by coal miners who
filed claims with the government for black lung benefits.  To process
the claims, the Department of Labor used applicants' SSNs to identify
their applications.  As identification numbers, the SSNs were
disclosed to other applicants, applicants' employers and lawyers, and
were made publicly available in administrative law decisions and
computerized legal research databases.  Considering the miners' suit,
a federal district court determined that emotional distress is a
sufficient harm to trigger recovery under the Privacy Act, and that
because Doe in particular had demonstrated enough emotional distress
to justify recovery, he was entitled to the $1000 damages.  The Fourth
Circuit Court of Appeals disagreed, finding that Doe was not entitled
to the award under the Privacy Act because he did not show that any
tangible consequences flowed from the emotional distress he
experienced due to the wrongful disclosure of his SSN.

The amicus brief first discusses the grave dangers to privacy and
security posed by SSN distribution, specifically discussing how the
SSN is frequently used to identify an individual's records in
databases containing financial, medical, educational, and credit
information.  Such widespread use of the SSN exposes individuals to
such hazards as identity theft.  The brief thus argues that disclosure
of the SSN must be carefully proscribed to minimize these risks, and
to award damages for wrongful disclosure on the basis of adverse
effects alone -- rather than upon a showing of actual harm as a result
of disclosure -- helps to serve that end.

The brief then points out that Congress has provided "liquidated
damages" by statute -- the amount of which is determined in advance so
that a dollar amount doesn't have to be specifically proven -- in
other privacy laws to enforce rights that are difficult to place a
money value on.  A recurring dilemma in privacy law is the difficulty
of proving that a person has actually been injured by an invasion of
privacy.  For that reason, many privacy laws automatically award an
individual damages if he/she can show that the prohibited violation
has been committed, eliminating any need to prove that she has
experienced tangible harm.

Finally, the brief refers to the legislative history of the Privacy
Act to show that the law's authors intended that liquidated damages
would be provided, and that individuals should not have to prove that
they suffered actual harm.  The Privacy Act's legislative history also
reflects longstanding Congressional recognition of the risks to
privacy posed by unnecessary SSN disclosure.

The Doe v. Chao amicus brief is available at:


The Fourth Circuit opinion in Doe v. Chao is available at:


The Privacy Act of 1974 is available at:


For more information about the case, see EPIC's Doe v. Chao Page:


[4] FTC Releases Identity Survey Report

On September 3, the Federal Trade Commission released a report on
identity theft in the United States based on a survey of more than
4,000 U.S. adults.  According to the FTC, last year identity theft
cost victims $5 billion in out-of-pocket expenses, as well as 300
million hours of their time trying to fix damage caused by the crime.
The FTC survey shows that in all 27.3 million Americans were affected by
identity theft over the past five years, including 9.9 million people
in the last year alone.  Although many groups have issued studies
showing the immense harm caused by identity theft, the FTC has "never
been clear as to the scale of the problem," and agency officials were
apparently surprised by the findings.

The FTC found that 49 percent of all the 4057 respondents did not have
any idea whatsoever how their identity came to be purloined, while 22
percent cited theft and another 12 percent claimed the information was
stolen in the course of a transaction.  Businesses incurred $48
billion in loss as a result of identity theft; but most of this is
borne not by credit card issuers, but rather by merchants who accept
the transaction.

The agency's official response to these findings was reactive and not
likely to prevent identity theft in the future.  With the exception of
requiring merchants to truncate card numbers on receipts, all proposed
legislative measures are concerned with the aftermath of the crime,
such as the creation of a uniform identity theft affidavit for
victims.  Most of the recommendations urged consumers to be more
careful, and entirely ignored the identity theft problems caused by
credit issuers, information sharing, and dishonest employees with
access to personal data.  In fact, the FTC's recommendations flowing
from the survey may exacerbate identity theft problems, as the agency
is recommending that Congress preempt state credit laws, which will
have the secondary effect of eliminating some state authority to pass
identity theft legislation.

The Federal Trade Commission Identity Theft Survey Report is available

      http://www.ftc.gov/os/2003/09/synovatereport.pdf (pdf)

View the FTC press release regarding the report at:


View Privacy Rights Clearinghouse ID Theft Materials at:


[5] Federal Court Invalidates Washington Phone Privacy Rules

Last week, a U.S. District Court in Seattle ruled that the State of
Washington's attempt to restrict the sharing of Consumer Proprietary
Network Information (CPNI) does not meet constitutional muster.  The
court's August 26 order grants Verizon's request for summary judgment
against the Washington Utilities and Transportation Commission (WUTC),
which adopted the regulations last year to safeguard detailed
information about the consumer calling data from disclosure without
consumer permission.  The regulations, which took effect January 1,
require consumers' expressed consent to the sharing of their calling
habits and features of their calling plan for marketing purposes.
Verizon argued that requiring consumers' consent before the company
shares this information with marketers is an infringement of the First
Amendment's grant of free speech and goes far beyond what the Federal
Communications Commission requires.

In its opinion, the court expressed concern over restricting what
Verizon can and can not say about the information the company has
gathered about its consumers.  The court found the WUTC's regulations
inadequate because they do not cover wireless services, are not
concise, and may not overtly convey to consumers that they need to
consent before affiliate companies can market to them.  The court
opinion requires WUTC to find a way that is less burdensome on the
speech rights of companies, and proposes that the Commission
reconsider the less-stringent opt-out policy in combination with a
public education campaign.

The court was influenced by the Federal Communication Commission's
(FCC) less stringent regulations.  The FCC only requires
telecommunications firms to have an opt-out policy -- a policy that
places the burden on consumers to affirmatively request that a company
not share information about their calls.  WUTC's regulations, on the
other hand, create an opt-in policy, shifting the burden from the
consumer to the company to seek permission before sharing consumer
information. WUTC rejected the opt-out approach in its rulemaking
process in response to public comment it received on the regulations.
EPIC submitted comments in favor of opt-in during the public comment

Although the court acknowledged that there is a significant state
interest in protecting consumer privacy, it held that WUTC's
regulations adopted to limit the unauthorized use of CPNI "do not
advance that interest in the direct and material way and are not
narrowly tailored," as required by the First Amendment regarding
information sharing.

A WUTC spokeswoman says that the Commission may appeal to the Ninth
Circuit U.S. Court of Appeals.

The Washington Utilities and Transportation Commission Web Site with a
link to the U.S. District Court opinion is available at:


Verizon's Privacy Policy for telephone company consumers is available


More information about Consumer Proprietary Network Information and
links to EPIC's submitted comments are available at EPIC's CPNI Page:


[6] Congress to Consider Critical Affiliate Sharing Privacy Issues

This Fall, Congress is likely to amend the federal Fair Credit
Reporting Act (FCRA) and in doing so, may override or "preempt" state
laws on affiliate sharing of personal information.  Affiliate sharing
is the practice of transferring personal information amongst companies
with the same corporate ownership.  Information transferred can
include name and contact information, Social Security Number, purchase
information, account numbers and balances, and even the information
individuals write on checks.  Affiliate sharing is invasive because
individuals have no access to the data and cannot obtain an accounting
of disclosures; it is used to generate unwanted marketing and
telemarketing; and because it puts personal information at risk of
being misused.

Affiliate sharing presents a large and growing risk to individuals'
privacy.  It is likely to be the most important financial services
privacy issue in the next decade, especially as companies increase
profiling, cross-selling, and telemarketing activities using
affiliate-shared information.  Companies, such as Citibank, that have
1,900 affiliates, or Bank of America, with over 1,000 entities in its
corporate family, can transmit personal information for these purposes
to an unlimited degree under federal law.  If Congress continues this
standard, it will permanently prevent states from passing laws to
establish reasonable restrictions on affiliate sharing and on some
areas of identity theft.  Furthermore, a federal standard is highly
anti-democratic, and comes at a time when California legislators have
just enacted a new law for affiliate sharing regulation that enjoys
significant public support.

The House is expected to consider preemption when voting on H.R. 2622,
the Fair and Accurate Credit Transactions Act of 2003.  That law would
permanently preempt state privacy and identity theft law, and water
down other consumer protections in the Fair Credit Reporting Act.

Senators Barbara Boxer (D-CA) and Diane Feinstein (D-CA) have both
called upon the Senate Banking and House Financial Services Committees
to preserve state privacy laws.  The prospect for greater financial
services privacy is brighter in the Senate, where Senate Banking
Chairman Richard Shelby (R-AL) and Ranking Member Paul Sarbanes (D-MD)
both support greater privacy and identity theft protection.
Individuals wishing to preserve financial privacy and the ability of
states to pass identity theft laws should contact their Senators. Both
US PIRG and Consumers Union have online forms for contacting Congress
to support privacy rights.

EPIC Privacy and Preemption Page:


US PIRG Action Item on Preemption:


Consumers Union Action Item on Preemption:


H.R.2622, Fair and Accurate Credit Transactions Act of 2003:


Section by Section Analysis of H.R. 2622:


[7] EPIC Bookstore: The Governance of Privacy

Colin Bennett and Charles Raab: The Governance of Privacy - Policy
Instruments in Global Perspective (Aldershot, Ashgate 2003)


Colin Bennett and Charles Raab are political scientists who have
collaborated in their work on privacy protection policy over the past
ten years, and this book is the summary of their research and
conclusions to date.  Texts on privacy tend to have a tome-like
quality to them, particularly when dealing with the arcane details of
regulation or methodology of practice.  This one, however, is an
interesting read for the privacy practitioner while serving as a
valuable analysis of the history for scholars.

The authors summarize, analyze, and evaluate the vast welter of
activity that has taken place over the past thirty years in our
efforts to deal with the impact of technology and globalization on the
preservation of privacy.  At 230 pages this is a relatively concise
history in three parts: Policy Goals, Policy Instruments, and Policy
Impacts.  They analyse the reasons that states and economies have
moved to protect privacy, from a social and economic policy
perspective.  They look at four instruments:  transnational policy
instruments, legal instruments and regulatory agencies,
self-regulatory instruments, and technological instruments.  Then they
attempt to assess the impacts and outcomes.

In their concluding chapter, entitled "International Privacy
Protection:  A race to the Top, the Bottom, or Somewhere Else" they
draw conclusions about where they see the pressures of globalization
and the "risk society" taking the issue now.  You will have to read
the book to get the answers, but suffice to say that if anyone needs
ammunition to use in those aggravating arguments with folks who think
privacy has been solved or dispensed with and is going away, they will
find it here, nicely laid out and analysed.  There is the odd time
when you might feel like you are climbing a mountain during the middle
chapters of this analysis, but the rewards are great when you get to
the top and can appreciate the view. A very useful text for courses on
privacy, regardless of the discipline.

--Stephanie Perrin


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2003: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty-five countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

       EPIC Bookstore

       "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Voting Machines: A Threat To Democracy?  The Ethical Society.
September 7, 2003.  Philadelphia, Pennsylvania.  For more information:

Surveillance and Privacy 2003:  Terrorists and Watchdogs.  Baker &
McKenzie Cyberspace Law and Policy Centre and University of New South
Wales Law Faculty.  September 8-9, 2003.  Sydney, Australia.  For more
information: http://www.bakercyberlawcentre.org/2003/Privacy_Conf/

25th International Conference of Data Protection and Privacy
Commissioners.  September 10-12, 2003.  Sydney, Australia.  For more
information: http://www.privacyconference2003.org/

WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and the
Department of Information Systems and Technology, University of
Durban-Westville.  September 10-12, 2003.  Durban, South Africa.  For
more information: http://www.udw.ac.za/www2003/

Public Forum: It's 2003! Do you know where your civil liberties are?
Arlington, Virginia Chapter of Amnesty International. September 14.
Arlington, Virginia. For more information: email

Annual Symposium and Training Conference: Openness and Security:
Rights and Responsibilities. American Society of Access Professionals.
September 16-17, 2003. Washington D.C. For more information:

Making Intelligence Accountable,  September 19-20, 2003.  Oslo,
Norway. The Geneva Centre for the Democratic Control of Armed Forces.
For more information:

The State of Accountable Government in a Surveillance Society.  Office
of the Information and Privacy Commissioner for British Columbia.
September 25-26, 2003.  Victoria, British Columbia.  For more
information:  http://www.oipc.bc.ca/anniversary/

Privacy2003.  Technology Policy Group.  September 30-October 2, 2003.
Columbus, Ohio.  For more information:

UbiComp 2003 Privacy Workshop.  October 12, 2003.  Seattle, WA.  For
more information:

Getting the Technology You Deserve:  Community Participation in
Regional Cable Franchise Policy.  Computer Professionals for Social
Responsibility.  October 25, 2003.  Seattle, Washington.  For more
information: http://www.cpsr.org/conferences/annmtg03/

ICANN Meeting.  Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003.  Carthage, Tunisia.  For more information:

RFID Privacy Workshop.  Massachusetts Institute of Technology.
November 15, 2003.  Boston, Massachusetts.  For more information:

Localizing the Internet: Ethical Issues in Intercultural Perspective.
International Center for Information Ethics.  October 4-6, 2004.
Karlsruhe, Germany.  For more information:

UbiComp 2003 Privacy Workshop.  October 12, 2003.  Seattle, WA.  For
more information:

Getting the Technology You Deserve:  Community Participation in
Regional Cable Franchise Policy.  Computer Professionals for Social
Responsibility.  October 25, 2003.  Seattle, Washington.  For more
information: http://www.cpsr.org/conferences/annmtg03/

Media Freedoms and the Arab World.  The Arab Archives Institute.
December 6-8, 2003. Amman, Jordan. For more information: email
aainstitute@yahoo.com or see

WHOLES - A Multiple View of Individual Privacy in a Networked World.
Swedish Institute of Computer Science. January 30-31, 2004. Stockholm,
Sweden. For more information: http://www.sics.se/privacy/wholes2004.

Subscription Information

Subscribe/unsubscribe via Web interface:


Subscribe/unsubscribe via e-mail:

      To: epic_news-request@mailman.epic.org
      Subject: "subscribe" or "unsubscribe" (no quotes)

Automated help with subscribing/unsubscribing:

      To: epic_news-request@mailman.epic.org
      Subject: "help" (no quotes)

Problems or questions? e-mail < info@epic.org>

Back issues are available at: http://www.epic.org/alert/

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140
(tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 10.18 ----------------------