EPIC logo

                            E P I C  A l e r t
Volume 11.11                                              June 10, 2004

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Sues Agencies for Passenger Data Disclosure Info
[2] DHS and EU Council Reach Agreement on Airline Passenger Data
[3] House Committee Suspends US-VISIT Contract
[4] Business Coalition Seeks Change to Junk Fax Regulations
[5] ICANN Calls for Comments on WHOIS Process
[6] News in Brief
[7] EPIC Bookstore: Credit Scores & Credit Reports
[8] Upcoming Conferences and Events

[1] EPIC Sues Agencies for Passenger Data Disclosure Info

EPIC filed suit in federal district court yesterday seeking the
release of Transportation Security Administration and Department of
Justice records concerning the efforts of the agencies to collect
airline passenger data from major commercial airlines.  The lawsuit
challenges the agencies' failure and refusal to expedite the
processing of EPIC's Freedom of Information Act (FOIA) requests for
the material.

The suit stems from four FOIA requests asking the agencies for
information about their roles in acquiring passenger data from JetBlue
Airways, Northwest Airlines, American Airlines and others.  In the
past eight months, EPIC has submitted three requests to the
Transportation Security Administration for information about its role
in JetBlue's disclosure of passenger data to a defense contractor and
American's disclosure of passenger data to Transportation Security
Administration contractors. The agency has granted expedited
processing for all of the requests, but has failed to release the
information within twenty days, as required by law.

Further, EPIC submitted a FOIA request to the FBI last month asking
for information about its collection of a year's worth of passenger
information from numerous airlines after 9/11, and requested expedited
processing as provided under the FOIA and Department of Justice
regulations.  The Bureau refused to expedite on the grounds that "the
primary activity of EPIC does not appear to be information
dissemination," despite the fact that two federal judges have
determined otherwise.  The FBI also justified its denial by stating
that EPIC had not "demonstrated any particular urgency to inform the
pubic about the subject matter of [its] request beyond the public's
right to know generally."

EPIC is seeking a preliminary injunction requiring the Department of
Justice, the FBI's parent agency, to process EPIC's request and
release the documents as soon as possible.  In support of its
entitlement to expedited processing, EPIC noted substantial media
interest in the FBI's acquisition of passenger information and pointed
out that Congress has shown increasing concern about government
collection of such data.  EPIC also noted that other agencies have
granted expedited processing for similar requests, acknowledging that
this is a matter about which there is an urgency to inform the public.

EPIC's complaint is available at:


EPIC's motion for a preliminary injunction is available at:


For more information about passenger data disclosures, see EPIC's
Northwest Disclosure Page:


[2] DHS and EU Council Reach Agreement on Airline Passenger Data

On May 28, United States and European Union officials signed an
agreement providing for a legal framework to govern the disclosure of
European airline passenger data to the Department of Homeland
Security's Bureau of Customs and Border Protection.

The bilateral agreement centers on the Customs Bureau's use of
passenger name record (PNR) data from airline reservation systems.
Thirty-four data fields have been specified for disclosure to the U.S.
government, including name, dates of travel, phone numbers, emails,
credit card numbers, car rental information, hotel reservation
details, and contact persons in the U.S., with data to be kept for not
more than three and a half years.  The agreement restricts use of the
data to combating terrorism and "other serious crimes" that are
transnational in nature.  The data may also be used to test the
Transportation Security Administration's controversial second
generation Computer Assisted Passenger Prescreening System (CAPPS II)
once the system is authorized to test using domestic data.  The
Customs Bureau also promises certain privacy protections, including
restrictions on use of the data by other U.S. agencies.

The agreement is the result of more than a year and a half of
negotiations between the EU and the U.S.  Since March 2003, EU
airlines have provided PNR data to the Customs Bureau to comply with
U.S. regulations.  However, these data transfers likely violate
European data protection laws, mainly because they do not provide
passengers with a judicially enforceable right to access their
personal data and do not ensure truly independent redress,
compensation and appeal mechanisms in case of governmental abuse and
infringement of passengers' rights.  EU member states had agreed not
to enforce their national laws pending an adequacy finding by the
European Commission that personal data transferred to the Customs
Bureau would receive sufficient protection.  One main purpose of the
new agreement was to resolve this conflict.

European Commission officials defend the agreement, arguing that it
formalizes privacy protections for PNR data and reflects negotiated
concessions limiting the scope and use of such information.  They
contend that the alternative would have included fewer concessions to
data use and greater legal and practical uncertainty about the ongoing
data transfers.

However, the European Parliament, Article 29 Data Protection Working
Party, data protection authorities around the world and privacy
experts have expressed deep reservations about the agreement and its
effects on Europeans' privacy rights, voting against its approval even
though the European Commission considered such disapproval not binding
in this case.  The European Court of Justice could still invalidate
the agreement if requested by the Parliament to review the
compatibility of the agreement with the Treaty of the EU and to
determine whether the Parliament should have had veto power.

The European Commission's adequacy decision, including the U.S.
government's Undertakings and the list of 34 PNR data fields to be
disclosed to U.S. authorities:


The decision of the Council of the European Union to conclude an
agreement with the Department of Homeland Security:


The European Parliament's resolution disapproving the agreement:


For more information about passenger data sharing, see EPIC's EU-U.S.
Airline Passenger Data Disclosure page:


[3] House Committee Suspends US-VISIT Contract

The House Appropriations Committee has moved to suspend the Department
of Homeland Security's contract with Accenture, a non-U.S. based
corporation, for development of the United States Visitor and
Immigrant Status Indicator Technology (US-VISIT).  The Department last
week awarded the company a contract worth up to $10 billion for the
expansion of the controversial border security program, which uses
photographs and biometrics to track foreign visitors to, from and
within the U.S.

US-VISIT has already processed more than four million people at the
country's busiest air and sea ports, and Department of Homeland
Security officials claim to have apprehended over 500 suspected
criminals and illegal aliens through the program.  US-VISIT has yet to
assist in the apprehension of a single suspected or known terrorist.

The bid process for the US-VISIT contract was deemed unusual because
the government left it to bidders to envision an ideal process for
tracking visitors traveling to and from the U.S.  Accenture's proposal
entailed the creation of "virtual folders" for each visitor that would
store visa application information, biometric information, entry and
exit dates, and the purpose of the visit.  Additional information
would be included for student visa holders.  Acknowledging that
US-VISIT enables the unprecedented integration and sharing of
individual information among various agency databases, Accenture also
created a position for a chief privacy officer.

Indeed, privacy threats posed by the program remain paramount.  In
February, EPIC urged the Department of Homeland Security to define how
Privacy Act obligations affect the program, to consider the
significance of international privacy standards in the collection and
use of personal information on non-U.S. citizens, and to prohibit the
expansion of US-VISIT uses beyond the program's defined mission.
These issues remain unresolved.

Department of Homeland Security press release on the US-VISIT


EPIC comments on US-VISIT:


For more information about US-VISIT, see EPIC's US-VISIT Page:


[4] Business Coalition Seeks Change to Junk Fax Regulations

A massive coalition of business groups is attempting to pass
legislation that would weaken protections against unsolicited
commercial faxes, also known as "junk faxes."  Since the passage of
the Telephone Consumer Protection Act of 1991 (TCPA), it has been
illegal to send a junk fax without obtaining prior affirmative consent
from the recipient.  Nevertheless, some junk fax "broadcasters" and
others continue to send the messages, transferring the cost of paper
and ink to the recipient.

As a result of continuing problems with fax broadcasters, and in
particular Fax.com, the Federal Communications Commission tightened
restrictions on junk faxes last year.  The regulations, which do not
take effect until 2005, require junk faxers to obtain written consent
from recipients prior to sending the messages.  Having written
evidence of consent is important in enforcement of the regulation, as
junk faxers frequently defend their activities by claiming that the
recipient opted in to the transmission.  Without written consent, the
dispute can dissolve into a "he said, she said" situation where the
junk faxer will claim that a former owner of the phone number, a
family member, or someone else with access to the number provided
consent to the unwanted transmissions.

The Commission also modified the "existing business relationship"
exemption, limiting the time that solicitations could be sent to
eighteen months after a purchase or transaction, and three months
after a customer makes an inquiry to a business.  This limit in time
is necessary, as some junk faxers send new messages every day, and the
old rule would allow them to continue to do so for perpetuity.

The business groups are attempting to eliminate both the requirement
for written consent and the time limits associated with the existing
business relationship exemption.  The bill may also contain provisions
allowing non-profit organizations to send junk faxes, and some are
lobbying to remove the private right of action and damages provisions
from the TCPA.  A hearing on the issue will be held Tuesday in the
House Energy and Commerce Committee, where legislation effecting the
business group's desires has support from both parties.

Hearing on junk faxes:


For more information about junk faxes, see EPIC's Telemarketing Page:


[5] ICANN Calls for Comments on WHOIS Process

The Internet Corporation for Assigned Names and Numbers (ICANN) has
requested public comment on access, data, and accuracy in the WHOIS
process.  The WHOIS database is a public directory of domain
registrant data available and searchable online.  Currently,
registrants must enter information as personal as name, address,
telephone number, and e-mail address in addition to technical contact
information, all of which can be found on the public WHOIS database.

Last year ICANN established three task forces to develop policy for
the WHOIS database.  The task forces' preliminary reports, which focus
on access, data, and accuracy, were recently released to the public.
ICANN now requests public comments on each of the reports.  The
comment period lasts only from May 28 to June 17, 2004.

The Non-Commercial Users Constituency of ICANN strongly encourages the
general public, NGOs, non-commercial communities and interested
parties to submit comments on each report.  The outcome of the WHOIS
Policy Development Process will have a significant impact on privacy,
civil liberties, and freedom of expression for Internet users.  The
WHOIS database broadly exposes domain registrants' personal data to a
global audience, including criminals and spammers.

The Non-Commercial Users Constituency has urged ICANN to limit the use
and scope of the WHOIS database to its original purpose, which is the
resolution of technical network issues, and to establish strong
privacy protections based on internationally accepted privacy
standards.  This limitation would entail restricting access to the
data, minimizing data required, and not penalizing registrants for
protecting their personal information by entering an inaccurate home
address or telephone number.

The Public Voice web site provides detailed information on WHOIS
policy development and the comment process.  For each of the three
task forces, there are links to the preliminary report and the e-mail
address for comment submission.  There are also position statements by
the Non-Commercial Users Constituency, which may be useful in helping
to understand the key issues.

For more information about WHOIS policy development, see The Public
Voice web site:


View the task forces' preliminary reports at:


Submit comments on the preliminary reports at:


[6] News in Brief


California Attorney General Bill Lockyer has acknowledged a letter
sent by EPIC, Privacy Rights Clearinghouse, and the World Privacy
Forum alleging that Google's e-mail scanning Gmail service violates
California's strict wiretapping laws.  Lockyer wrote: "The potential
exposure of Gmail users to liability for violation of Penal Code
section 631 is of particular concern, as are the rights of those who
are not subscribers to Gmail but who send e-mail to those who are."
Lockyer advised that his office will continue to analyze Gmail and
that "I understand your position and share many of your concerns."

Attorney General Lockyer acknowledgement:


Letter to Attorney General Lockyer concerning Gmail:



A federal court recently threw out the government's case against
Brandon Mayfield, an American lawyer in Oregon who had been linked by
fingerprint identification to the deadly train bombings Madrid, Spain,
in March.  The court said the FBI had misidentified fingerprints found
on a bag of detonators near the train station in Madrid as belonging
to Mayfield, though Spanish polive have subsequently matched the
prints to an Algerian fugitive.  Mayfield was arrested on May 6 as a
material witness in the bombings and detained for two weeks.  Soon
after the court dismissed the case, the FBI offered a rare apology for
mistakenly identifying him in connection with the terrorist attack.
The error seems to have come initially from the FBI's supercomputer
for matching fingerprints and then from the FBI's own analysts.  A
37-year-old convert to Islam, Mayfield sharply criticized the
government, saying he was targeted because of his faith and calling
his time behind bars "humiliating" and "embarrassing."

For information about inaccuracies in the FBI's criminal justice
database, see EPIC's Joint Letter to Require Accuracy for the National
Crime Information Center:



The FBI has served seven artists with subpoenas under the USA PATRIOT
Act to appear before a federal grand jury on June 15, 2004. The jury
is expected to consider bioterrorism charges against Steven Kurtz, an
art professor at the University of Buffalo.  Kurtz and two other
subpoenaed artists are members of the artists' collective known as
Critical Art Ensemble.  The collective has used scientific equipment
since 1987 to produce art projects related to biotechnology.  Kurtz's
2002 exhibit entitled "Molecular Invasion" was a statement against
genetically modified crops.

According to the subpoenas, the FBI is seeking charges under Section
175 of the US Biological Weapons Anti-Terrorism Act of 1989, which has
been expanded by Section 817 of the USA PATRIOT Act.  As modified,
this law prohibits the possession of "any biological agent, toxin, or
delivery system of a type or in a quantity that, under the
circumstances, is not reasonably justified by a prophylactic,
protective, bona fide research, or other peaceful purpose."

Critical Art Ensemble Defense Fund:


For more information about The USA PATRIOT Act, see EPIC's USA PATRIOT
Act Page:



The California Public Utility Commission last week adopted a
"Telecommunications Bill of Rights," a set of regulations under
development for over three years.  Wireless customers benefit from the
new rules, which include mandatory notice about rate increases and
Internet posting of current tariffs.  Previous versions of the rules
drafted under the former Public Utility Commissioner required wireless
providers to obtain express consent, or "opt-in" consent, before using
or selling Customer Proprietary Network Information (CPNI) data about
calls made and received.  The ruling states that such privacy rules
will be revisited but provides no time frame.  The wireless telephone
industry is expected to vigorously oppose implementation of the new

The ruling is available at:


For more information about Customer Proprietary Network Information,
see EPIC's CPNI Page:



A May 2004 General Accounting Office report surveying an
unrepresentative sample of thirteen colleges and universities across
the nation has concluded that most schools feel they are up to the
task of combatting copyright piracy on their computer networks.  All
schools surveyed indicated that they have suffered negative effects of
peer-to-peer piracy ranging from network shutdowns to expending
additional funds on system management.  In response to these problems,
the institutions have taken various steps such as conducting awareness
programs, limiting file downloads, and warning or banning infringing
network users.  While the report presents no concrete data on how
effective these approaches are in reducing piracy, it does note that
the institutions surveyed have some confidence in the efficacy of
their countersteps.

But many of the solutions the universities have placed their
confidence in raise privacy concerns.  Measures such as sanctioning
users of certain file-sharing applications necessarily involve
individual identification of network users.  All of the surveyed
universities indicated that they have this ability and had used it in
the academic year preceding the study (2002-2003).  Five universities
indicated that they could always track down an individual user accused
of copyright violation, while seven stated that individual
identifications could be made most of the time.  Future stepped-up
anti-piracy measures might increase the incidence of such individual
identifications.  This is especially troubling if there are no
safeguards to protect the privacy of network users, essentially
opening them up to the discovery of who is listening to, or watching,
what, long before it is legally established that they have violated a

The report is available at:


[7] EPIC Bookstore: Credit Scores & Credit Reports

Credit Scores & Credit Reports: How The System Really Works, What You
Can Do, by Evan Hendricks (2004).


Evan Hendricks, Fair Credit Reporting Act expert and veteran editor of
the Privacy Times newsletter, has published an authoritative and
approachable guide to credit scores and credit reporting.  He argues
that "the worse your credit score, the more you pay for mortgages,
loans, credit cards, and insurance.  Conversely, the better your
credit score, the more favorable terms you will get on interest rates
and premiums."  Thus, it is increasingly important that individuals
understand their credit scores and the reports from which they are
derived.  Hendricks explains in detail how the score is computed, the
factors involved, and specific actions that affect the score.

Hendricks' book gives an excellent overview of a range of existing and
emerging credit reporting issues, including account review, the
"reinvestigation" process, how to dispute errors on the report, the
problem of mixed files, identity theft, how to protect your privacy by
opting out of prescreening, the potential for credit scoring having a
disparate and unjustified impact against minorities and the poor, and
the increasing use of credit scores in automobile insurance.  If you
advise clients on credit issues or are attempting to rebuild your
credit, Hendricks' book should be on your shelf -- right next to your
subscription to Privacy Times.

-Chris Jay Hoofnagle


EPIC Publications:

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2003: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty-five countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore

     "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

TRUSTe Symposium: Privacy Futures.  June 9-11, 2004. International
Association of Privacy Professionals.  San Francisco, CA.  For more
information: http://www.privacyfutures.org.

The Policy Implications of Open Source Software.  Forum on Technology
& Innovation.  June 10, 2004.  Washington, DC.  For more information:

Access & Privacy Conference 2004: Sorting It Out.  Government Studies,
Faculty of Extension.  June 10-11, 2004.  University of Alberta.
Edmonton, Alberta, Canada.  For more information:

13th Annual CTCNet Conference: Building Connected Communities: The
Power of People & Technology.  June 11-13, 2004.  Seattle, WA.  For
more information: http://www2.ctcnet.org/conf/2004/session.asp.

Homeland Security and Civil Liberties.  The United States Army War
College with the University of Pennsylvania School of Law.  June 18,
2004.  Philadelphia, PA.  For more information:

Knowledge Held Hostage? Scholarly Versus Corporate Rights in the
Digital Age.  Annenberg Public Policy Center and Rice University in
association with Public Knowledge and the Center for Public Domain.
June 18, 2004.  Philadelphia, PA.  For more information:

Fifth Annual Institute on Privacy Law:  New Developments & Compliance
Issues in a Security-Conscious World.  Practising Law Institute.  June
21-22, 2004.  New York, NY.  For more information: http://www.pli.edu.

Managing the Privacy Revolution 2004: New Challenges, New Strategies,
New Dangers.  Privacy & American Business.  June 22-24, 2003.
Washington, DC.  E-mail info at pandab.org.

ITU WSIS Thematic Meeting on Countering Spam.  International
Telecommunication Union and the World Summit on the Information
Society.  July 7-9, 2004.  Geneva, Switzerland.  For more information:

PORTIA Workshop on Sensitive Data in Medical, Financial, and
Content-Distribution Systems.  PORTIA Project.  July 8-9, 2004.
Stanford, CA.  For more information:

O'Reilly Open Source Convention.  July 26-30, 2004.  Portland, OR.
For more information: http://conferences.oreilly.com/oscon.

First Conference on Email and Anti-Spam.  American Association for
Artificial Intelligence and IEEE Technical Committee on Security and
Privacy.  July 30-31, 2004.  Mountain View, CA.  For more information:

Crypto 2004: The Twenty-Fourth Annual IACR Crypto Conference.
International Association for Cryptologic Research, IEEE Computer
Society Technical Committee on Security and Privacy, and the Computer
Science Department of the University of California, Santa Barbara.
Santa Barbara, CA.  August 15-19, 2004.  For more information:

The Right to Personal Data Protection -- the Right to Dignity.  26th
International Conference on Data Protection and Privacy Commissioners.
September 14-16, 2004.  Wroclaw, Poland.  For more information:

2004 Telecommunications Policy Research Conference.  National Center
for Technology & Law, George Mason University School of Law.  October
1-3, 2004.  Arlington, VA.  For more information:

Privacy and Security: Seeking the Middle Path.  Office of the
Information & Privacy Commissioner of Ontario; Centre for Innovation
Law and Policy, University of Toronto; and Center for Applied
Cryptographic Research, University of Waterloo.  Toronto, Ontario,
Canada.  October 28-29, 2004.  For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information, see
http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite
200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.  Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 11.11 ----------------------