EPIC logo

E P I C - 2003 Year in Review
Volume 10.26 December 31, 2003
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C. ======================================================================
2 0 0 3 P R I V A C Y Y E A R I N R E V I E W
====================================================================== January 8: Gillette and Wal-Mart Test RFID "Smart Shelf" Technology

Gillette and Wal-Mart announce plans to test in a Massachusetts
Wal-Mart "smart shelves," which identify radio frequencies emitted
by Radio Frequency Identification (RFID) chips embedded in Gillette
products. Gilette says that the technology will help monitor
inventory and reduce theft, but privacy groups charge that it will
also be used to track consumers. January 21: Privacy Loses to the Recording Industry Association of

Verizon loses its battle in federal district court to preserve the
privacy of a Verizon customer. In July 2002, the Recording Industry
Association of America demanded that Verizon turn over the name of a
Verizon costumer alleged to have traded recording artists'
copyrighted material. Verizon refused to turn over the name, and
was then sued by the RIAA. The court determined that the RIAA did
not need to obtain a judge's approval before demanding customer
information from Internet service providers. January 30: European Commission Orders Microsoft to Modify Passport

The European Union finds that Microsoft's Passport violated European
Union data protection rules and demanded that Microsoft make
substantial changes to Passport. European Commission Commissioner
Bolkestein said that companies will need to follow guidelines for
future services. February 18: New Hampshire Supreme Court: Information Brokers May Be
Liable for Selling Personal Info

The New Hampshire Supreme Court determines that information brokers
and private investigators can be held responsible for harms caused
by selling an individual's personal information. In this case, a
young woman was murdered by a stalker who obtained her personal
information from information brokers and private investigators. The
court found that private investigators and information brokers have
a duty to exercise reasonable care when the sale of personal
information creates a risk to the individual being investigated. The
court also decided that individuals can sue investigators who
purchase their Social Security numbers from credit reporting
agencies without permission. March 5: Supreme Court: States Can Post Sex Offender Info on the

The U.S. Supreme Court holds that states may post the names and
photos of convicted sex offenders on the Internet without violating
those individuals' rights. The decision marks the first time the
Court has directly faced the question of whether public records
should made available on the Internet. March 21: Federal Court Upholds Junk Fax Law

A federal appeals court upholds the Telephone Consumer Protection
Act against a First Amendment challenge. A junk fax company Fax.com
and Wal-Mart argued that the law violated free speech rights because
it imposes fines upon companies that send fax advertisements without
the permission of the individual receiving the fax. The case marks a
court victory for opt-in privacy laws. April 14, 2003: Health Privacy Rule becomes Effective

The Privacy Rule issued under the Health Insurance Portability and
Accountability Act of 1996 goes into effect For the first time,
Americans have a federal floor of protection and rights for medical
information. The Rule is enforced by the Office for Civil Rights
within the Department of Health and Human Services. April 22: No Fly List Strands Innocent Travelers

Documents uncovered by EPIC's Freedom of Information Act lawsuit
against the Transportation Security Administration reveal that
innocent people were swept up by the No Fly watch list. The
problems raise questions about a proposed passenger profiling
system. The Transportation Security Administration has yet to
describe how it will protect due process rights, comply with the
Privacy Act, and whether it is an effective security measure. April 29: Secret Surveillance and Search at All-Time High

The 2002 annual report on the Foreign Intelliegence Surveillance Act
finds that all 1228 applications for electronic surveillance and
physical search were approved. In 2001, the FISA Court approved 934
applications. The Patriot Act greatly expanded the government's
authority to use the secretive surveillance law. May 12: New Microsoft Passport Flaw Found

Microsoft concedes that a new flaw was found in Microsoft Passport
that could expose personal information, including credit card
numbers, of 200 million Internet users. In July and August 2001,
EPIC and a coalition of consumer advocacy groups filed detailed
complaints with the Federal Trade Commission about the privacy risks
associated with the Passport identification and authentication
system. The Commission found that the Microsoft representations
about Passport constituted an unfair and deceptive trade practice
and settled the action against Microsoft. The agreement required
that Microsoft establish a comprehensive information security
program for Passport, and that it must not misrepresent its
practices of information collection and usage. May 21: Total Information Awareness Gets a Makeover

The Department of Defense Advanced Research Projects Agency releases
a report on the "Terrorism" Information Awareness Program. The name
change was intended to sooth fears that a massive program of public
surveillance might raise privacy concerns. As the Department noted,
"[t]he name 'Total Information Awareness' program created in some
minds the impression that TIA was a system to be used for developing
dossiers on US citizens." June 23: Supreme Court OKs Library Internet Filters

The U.S. Supreme Court upholds a federal law requiring libraries to
filter Internet content to receive federal funding. Critics argued
that the law violated free speech rights guaranteed by the
Constitution. The Court disagreed, explaining that libraries could
temporarily turn off the software if asked by library patrons so
that they could view material that would otherwise be inaccessible.
United States v. American Library Association (2003) June 26: Supreme Court Affirms Right to Be Left Alone in Bedroom

The Supreme Court strikes down a Texas law making it illegal for two
adults of the same sex to have consensual sex in the privacy of the
home. The decision reversed the Court's position on sodomy laws,
and is likely to invalidate laws in twelve other states that
regulate what adults can and cannot do within the privacy of the
home. Justice Kennedy wrote: "Liberty presumes an autonomy of self
that includes freedom of thought, belief, expression, and certain
intimate conduct." He concluded, "As the Constitution endures,
persons in every generation can invoke its principles in their own
search for greater freedom." Lawrence v. Garner (2003) July 10: Wal-Mart Scraps "Smart Shelf" Plans

Wal-Mart announces that it would not move forward with plans to
install "smart shelf" technology in its stores that would receive
radio frequencies emitted by Gillette products with Radio Frequency
Identification (RFID) chips. Although Wal-Mart said the move simply
reflected a corporate decision to implement RFID technology in
warehouses and distribution centers instead of retail stores,
concerns about the misuse of data gleaned from the tracking devices
had prompted a public outcry against the technology. August 8: FOIA Records Detail Attempts to Track Legislators

EPIC obtains Federal Aviation Administration transcripts and audio
recordings concerning a request by the office of U.S. House of
Representatives Majority Leader Tom DeLay (R-TX) to track Texas
legislators fleeing the state by plane. The audio recordings of
telephone conversations between the FAA's Washington Operations
Center and various field employees indicated that the FAA employees
were misled into believing that the request to track the legislators
was part of an official Congressional investigation. August 11: Mississippi District Installs Webcams in Classrooms

The school district in Biloxi, Mississippi becomes the first in the
nation to implement a system of Internet-wired video cameras, nearly
500 total, to monitor its classrooms and hallways 24 hours a day.
The district, which is comprised of some 6,300 students, cited
security concerns as the basis for its camera use. Only designated
school officials and security personnel are allowed to view the
footage, which can be displayed on a computer linked to the
Internet. Other school district in the U.S. and England are
beginning to experiment with classroom webcams. August 13: Poindexter Resigns But Defends "Total Info" Plan

In a letter to the director of the Pentagon's research department,
retired Admiral John Poindexter, the man responsible for Total
Information Awareness, resigns as head of the Information Awareness
Office. He defended the controversial Total Information Awareness
program and cited a study conducted by his former office as an
example of his efforts to "protect the privacy of innocent people." August 20: Tampa Scraps Face-Recognition System

The Tampa Police Department abandons the face recognition system
used in conjunction with its video surveillance cameras, citing the
system's failure to recognize anyone wanted by the authorities over
a two-year period. The camera-based system scanned the faces of
tourists, residents, and visitors in Ybor City and then compared the
images with police mug shots. The system's use never led to any
arrests or positive identifications. The Identix system is still in
operation in Virginia Beach and Great Britain. August 21: County Requires DNA for Guilty Pleas

Prosecutors in Jackson County, Missouri instituted a policy
requiring DNA samples from anyone wishing to plead guilty to a
felony. Prosecutors believe the samples can be a useful tool in
solving violent crimes. The county Public Defender's office,
however, is opposed to the practice and is recommending that its
clients not comply. Other states, including Virginia, require DNA
even from people who were only arrested and questioned. August 31: U.S. Used Illegally Obtained Personal Data

The U.S. government was cut off from a major source of data on Latin
American citizens. The U.S. had purchased access to a database
containing the personal information of 65 million voting-age Mexican
citizens, allowing three dozen U.S. agencies to use it to track and
arrest suspects inside and outside the U.S. However, the data
vendor, Atlanta-based ChoicePoint Inc., recently erased its files on
citizens in Mexico, Argentina and Costa Rica after an outcry from
these countries and others in Latin America regarding the company's
means of obtaining this information. In particular, the Mexican
government complained that its federal voter rolls were the source
of ChoicePoint's data, and were likely obtained illegally by a
Mexican company that sold them to the vendor. All told, Choice
Point had collected personal information on residents of 10 Latin
American countries -- apparently without their consent or knowledge.
ChoicePoint Said To Stop Selling Data On Mexicans To US, The Wall
Street Journal, Aug. 31, 2003 September 14: Anti-Terrorism Laws Used for Other Purposes

A report finds that the Patriot Act is used more often to pursue
common crime than to combat actual terrorism. A Justice Department
official concedes that the Patriot Act contained provisions that had
been on prosecutors' wish lists for years. Civil liberties and
legal defense groups said the government soon will be routinely
using harsh anti-terrorism laws against run-of-the-mill lawbreakers. September 18: JetBlue Confirms Disclosing Passenger Data

JetBlue Airways admits that it provided 5 million passenger
itineraries to Torch Concepts, a Defense Department contractor, as
part of a massive dataming experiment. Torch Concepts supplemented
the JetBlue data with information, such as Social Security numbers
and income levels, furnished by Acxiom Corporation. Congress calls
for an investigation. September 19: UK Makes Spam a Crime

Britain becomes the second country in Europe to criminalize spam.
Under the new British law, spammers face an $8,057 fine if convicted
in a magistrates court. Potential fines imposed in a jury trial
would be unlimited. Spammers would not be subject to imprisonment
under the new law. September 22: Transatlantic Tiff Over Passenger Data

European Union officials meet in Brussels with Homeland Security
officials to discuss whether European airlines should be forced to
hand over information on their passengers to the U.S. government.
The transfer of such information violates many European privacy
laws. September 25: Congress Pulls Plug on Total Information Awareness

The Senate passes a $368 billion Pentagon spending measure that
eliminated funding for the Total Information Awareness office. The
office, headed by retired admiral John Poindexter, was responsible
for the controversial Total Information Awareness surveillance
program as well as a proposed terrorism futures market. September 26: Congress Freezes CAPPS II Funding

Congress suspends funding for the controversial Computer Assisted
Passenger Pre-Screening System until the there is a study of the
system and a certification that privacy issues haved been
satisfactorily addressed. The Congress says that error rates, due
process procedures, accuracy, and safeguards against abuse must be
addressed. The report is expected in mid-February 2004. October 1: Do-Not-Call List Sparks Litigious Furor

To the delight of telemarketing foes throughout the nation, the
Federal Trade Commission's Do-Not-Call List was scheduled to take
effect on October 1. But contentious litigation over the List's
constitutionality and the FTC's authority to implement it stalled
the List's enforcement. After maneuvering by both Congress and the
President failed to resolve the matter, the Federal Communications
Commission was eventually permitted to enforce its own Do-Not-Call
List. October 8: FBI Demands Reporter's Records, Sheepishly Apologizes

The FBI apologizes to Associated Press reporter Ted Bridis for
demanding that he preserve documents related to Adrian Lamo, who is
alleged to have hacked into The New York Times computer system. The
FBI had told Bridis that he was obligated by law to preserve the
records. The FBI admiited that it had no legal basis for requiring
the preservation of the records under the circumstances. October 21: Postal Service Pushes Identification Requirements

The Postal Service will require bulk mailers to include a valid
address on all envelopes. Earlier, a Presidential commission
recommended identification on the outside of all mail. According to
the Commission, "requiring all mail to identify its sender would
likely have a negligible impact on most users of the Postal Service
who readily identify themselves when they send mail and would
consider such a requirement a relatively modest concession." October 21: Students Battle Diebold Over Memos

The Swarthmore Coalition for the Digital Commons takes heat from
Diebold Election Systems for hosting web pages linked to thousands
of leaked Diebold memos that detail flaws in the company's voting
machine software. The company claimed posting such information is a
violation of the Digital Millennium Copyright Act. The students said
tht the company suppressed free speech. Diebold eventually backed
down. October 24: 9/11 Author Pushes For National Identification Card

Journalist and entrepreneur Steven Brill announces plans to develop
a biometric identification cards for those who are frustrated by
waiting in line at security checkpoints. The identification card is
intended to assure that cardholders are not terrorists, violent
criminals, or illegal immigrants, (or people who enjoy waiting in
lines) and are thus entitled to less scrutiny at security
bottlenecks than those without the card. October 25: Discount Offered on RFID Implants

The maker of a Radio Frequency Identification chip implantable in
humans launches a nation-wide promotional campaign in support of the
product. Applied Digital Solutions offered a $50 discount on the
device, which costs $200, to the first 100,000 people who sign up to
have the chip implanted. The company next hopes to develop an
implantable GPS chip. The company also faces investigations by the
Food and Drug Administration and the NASDAQ. October 28: Library of Congress Grants DMCA Exceptions

The Library of Congress creates new narrow exemptions to a digital
piracy law that makes it illegal to crack digital copyright
protections. One can now legally crack codes to access lists of
sites blocked by commercial Internet filtering software, but not
spam-fighting lists; computer programs protected by hardware dongles
that are broken or obsolete; computer programs or video games that
use obsolete formats or hardware; and e-books that prevent
read-alound or other handicapped access formats from functioning.
The move was still criticized by free-speech activists, who had
hoped for more exceptions. November 4: Defense Department Pays Linda Tripp $595,000 To Settle
Privacy Case

The Department of Defense settles a Privacy Act litigation with
former employee Linda Tripp, agreeing to pay $595,000 for Tripp to
drop her claims. Tripp alleged that Pentagon officials released
private information about her in retaliation for her role in the
Lewinsky matter, which led to impeachment proceedings against then
President Clinton. November 16: Government, Industry Announce

Major luggage and lock retailers in the United States, with the
backing of the Transportation Security Administration, announce the
Travel Sentry, a new lock that will enable government agents to
search checked baggages. A TSA spokesperson says, "In other words,
we can open it, but no one else can." But reports at years end find
that Travel Sentry locks are also clipped by TSA officials. December 4: Credit Legislation Signed Into Law

New credit privacy legislation is signed into law. The law will
preempt tougher state laws protecting privacy and preventing
companies from sharing personal information. The bill is a victory
for the financial industry. One positive aspect of the legislation,
however, is that it gives consumers new protections against identity
theft, including free credit reports and a national fraud-alert
system to minimize damage once a theft has occurred. December 12: School Installs Face-Recognition Technology to Find
Children, Sex Offenders

A Phoenix-area middle school plans to install face-recognition
technology intended to identify registered sex offenders and missing
children. The surveillance system consists of two cameras, which
cost from $3,000 to $5,000, linked to state and federal law
enforcement databases containing information about sex offenders,
missing children, and abductors. The Arizona Superintendent of
Public Instruction is pushing to have the surveillance system
installed in every school in Arizona. December 16: Rush Limbaugh Fights for His Medical Record Privacy

Conservative talk show host Rush Limbaugh tells a Florida court that
investigators violated his privacy by seizing his medical records
under search warrants on December 4. He asked that the records not
be made available to prosecutors investigating whether Limbaugh
illegally bought prescription painkillers, citing the need to
protect physician/patient confidentiality. December 16: U.S., European Union Strike Passenger Data Deal

The European Union agrees to allow the United States to collect
airline passenger records on all individuals flying from Europe to
the United States. The concession ended transatlantic tension
stemming from the European Union's threat to keep airlines from
disclosing passenger information under European privacy laws. The
agreement will limit what information can be gathered from passenger
records, how it can be shared with the U.S., and how long it can be
stored. December 16: Anti-Spam Legislation Signed Into Law

The CAN-SPAM Act of 2003 is signed into law, authorizing both fines
and imprisonment for spammers who gather e-mail addresses from the
Internet or use false information to deceive spam recipients. The
new federal law will preempt stricter state laws, and may be
ineffective against spam sent from outside the United States. The
law will be enforced beginning January 1, 2004. December 20: Recording Industry Association of America Dealt

A federal district court holds that the Recording Industry
Association of America must get a judge's permission before
demanding that Internet service providers disclose the names of
customers suspected of trading music online in violation of
copyright laws. The decision will force the RIAA to file suit
against an individual, and then ask a judge to compel the Internet
service provider to turn over the individual's identity. December 31: Inspector General Slams Info Awareness

The Department of Defense Inspector General concludes that the Total
Information Awareness program failed to address key privacy
concerns. The program was killed earlier in the year by the
Congress, but some of the program's activities have been quietly
transferred to other agencies. HAPPY NEW YEAR FROM THE ELECTRONIC PRIVACY INFORMATION CENTER (EPIC) ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------ END EPIC 2003 Year in Review ------------------