EPIC logo

                             E P I C  A l e r t
Volume 11.13                                              July 12, 2004

                              Published by the
                Electronic Privacy Information Center (EPIC)
                              Washington, D.C.


Table of Contents

[1] Supreme Court Upholds Block on Web Censorship Law
[2] EPIC Calls for Suspension of Registered Traveler Program
[3] Federal Court OKs Service Provider E-mail Interception
[4] Judge Upholds Country's Strongest State Financial Privacy Law
[5] Voter Identification Bills Introduced in Congress
[6] News in Brief
[7] EPIC Bookstore: Jennifer Government
[8] Upcoming Conferences and Events

[1] Supreme Court Upholds Block on Web Censorship Law

The Supreme Court recently upheld in Ashcroft v. ACLU a lower court's
injunction against enforcement of the Child Online Protection Act
(COPA).  COPA, passed by Congress in 1998, is a broad censorship law
that restricts Internet speech and imposes penalties of up to $50,000
and six months in prison for posting, for commercial purposes, content
that is "harmful to minors."  In a 5-4 decision, the Court upheld the
injunction on the basis that the government failed to rebut the
argument that software filtering is a plausible, less-restrictive
alternative to COPA's content-based regulation of Internet speech.

Congress passed COPA in 1998 after the Supreme Court's 1997 ruling in
Reno v. ACLU that the law's predecessor, the Communications Decency
Act, was unconstitutional.  EPIC joined with the ACLU to serve as
plaintiff and co-counsel in the constitutional challenges to both

The Supreme Court's majority opinion, written by Justice Kennedy and
joined by Justices Stevens, Souter, Thomas, and Ginsburg, held that
"there is a potential for extraordinary harm and a serious chill upon
protected speech" if the law goes into effect.  The Court found that
filtering software is likely a less restrictive means to regulate
minors' access to harmful material because "filters impose selective
restrictions on speech at the receiving end, not universal
restrictions at the source."  The Court also found that promoting
filters is less damaging to First Amendment principles because COPA
condemns as criminal entire categories of speech.  Justice Kennedy
also noted that COPA fails to effectively serve the government's
interest in protecting children because the law does not prevent
children from seeing inappropriate material originating outside the
United States.

In his dissenting opinion, Justice Breyer contended that the Court was
wrong to conclude that Congress could have accomplished its goal of
protecting children from Internet pornography in  less restrictive
ways.  Breyer argued that the monetary and social costs of COPA's
identification requirement impose only "a modest additional burden" on
adult access to Internet content.

The case has been remanded to the lower court for further proceedings.

The opinion in Ashcroft v. ACLU is available at:


EPIC's testimony concerning the privacy implications of COPA's
identification requirement:


For more information about the case, see EPIC's COPA Litigation Page:


[2] EPIC Calls for Suspension of Registered Traveler Program

In formal comments to the Transportation Security Administration
(TSA), EPIC has urged the agency not to deploy the final phase of the
Registered Traveler program until it conducts a full evaluation of the
program's privacy implications.  EPIC argued that the agency should
revise its information collection and maintenance practices to comply
fully with the intent of the Privacy Act.

EPIC made its recommendation in response to the agency's publication
of a notice describing its plans to launch the pilot phase of
Registered Traveler.  The program asks individuals to volunteer to
undergo invasive background checks and provide biometric information
in exchange for the assurance that they will not be subjected to
random secondary screening at airports.

EPIC's comments noted the agency's record of secrecy and little regard
for individual privacy interests in the development of other programs,
pointing out that the agency has disclosed little information about
the controversial second generation Computer Assisted Passenger
Prescreening System (CAPPS II) in response to EPIC's repeated Freedom
of Information Act requests and has also exempted the system from key
Privacy Act provisions.

EPIC noted that TSA has unnecessarily exempted Registered Traveler
from crucial safeguards intended to promote record accuracy and secure
the privacy of individuals whose information is maintained within the
system.  EPIC's comments addressed TSA's failure to provide
individuals with meaningful access to personal information and
meaningful opportunities to correct inaccurate, irrelevant, untimely
and incomplete information.  EPIC also noted Registered Traveler's
exemption from the requirement that a system maintain only information
that is "relevant and necessary" to perform the system's function, and
asserted that TSA's broadly drawn "routine uses" of Registered
Traveler data would only heighten the system's privacy problems.

The Transportation Security Administration's notice on Registered
Traveler is available at:


EPIC's comments are available at:


More information about CAPPS II and passenger profiling is available
at EPIC's Passenger Profiling Page:


[3] Federal Court OKs Service Provider E-mail Interception

The U.S. Court of Appeals for the First Circuit has ruled that a
company did not violate federal wiretap law when it used the e-mail
service it provided to its subscribers to access their e-mail so it
could review messages sent to them by a rival company.  The issue in
United States v. Councilman was whether an "intercept" of a
communication occurred within the meaning of the Wiretap Act.  In a
2-1 ruling, the court held that electronic communications are not
"intercepted" if the communication is accessed while it is in
temporary storage.

This case involved the conduct of Interloc, an online literary
clearinghouse that sought to pair its subscribers -- rare and used
book dealers -- with book buyers.  Bradford C. Councilman, former
executive of the company, directed Interloc employees to write
computer code to intercept and copy all incoming communications from
Amazon.com to the subscriber book dealers, whom had been provided
e-mail service by Interloc.  According to the indictment, the Interloc
systems administrator wrote a revision to the mail processing code
designed to intercept, copy, and store all incoming messages from
Amazon.com before they were delivered to the subscribers, and
therefore, before the e-mail was read by the intended recipient.
Councilman was charged with using the code to intercept thousands of
messages.  Councilman and other Interloc employees routinely read the
e-mails sent to Interloc subscribers seeking to gain a commercial

The law at issue in this case involved the 1986 amendments to federal
wiretap law.  Prior to the amendments, only wire and oral
communications were protected from interception under the Wiretap Act.
The amendments extended protections against interception to electronic
communications, and also sought to establish legal standards for
access to email in the possession of a service provider.  The changes
created two categories of electronic communications -- those "in
transit," which enjoy relatively generous protection under the law,
and those "in storage," which receive a lesser degree of legal
protection.  The categories that resulted from the amendments were
viewed as complimentary efforts to protect the privacy of electronic
communications.  The "tiering" of communications resulted more from
the effort to address specific concerns -- such as extending
protections to electronic communications and creating safeguards for
stored communications -- than to formally categorize the privacy
protection for each type of information.  Thus, it is unlikely that
the Congress that passed the 1986 amendments believed that an ISP
should be able to routinely review the contents of subscriber email.

The Court, however, determined that the plain language of the law
showed that Congress did not intend for the law's interception
provisions to apply to electronic communications in electronic
storage.  The Court also found that when the company obtained the
e-mails, the messages were in temporary storage in a computer system.
The Court noted that the parties had stipulated that the e-mails were
not affected while they were transmitted through wires or cables
between computers.  In light of these findings, the Court determined
that the e-mails were not in transit and subject to interception, but
were instead stored communications.  Because no "intercept" occurred,
the Court held that the Wiretap Act could not have been violated.  In
dissent, Judge Kermit V. Lipez warned that this interpretation of the
Wiretap Act "would undo decades of practice and precedent regarding
the scope of the Wiretap Act and would essentially render the act
irrelevant to the protection of wire and electronic privacy."

The opinion in United States v. Councilman is available at:


For more information about electronic surveillance, see EPIC's
Wiretapping Page:


[4] Judge Upholds Country's Strongest State Financial Privacy Law

A federal district judge in Sacramento, California has upheld the
state's financial privacy law, SB1, against a challenge brought by
financial services trade groups.  The groups were unsuccessful in
arguing that the law, known as the California Financial Information
Privacy Act, was preempted by the federal Fair Credit Reporting Act
(FCRA).  SB1 is the strongest financial privacy law in the nation.  It
allows individuals to opt out of affiliate information sharing, and
requires opt-in consent before financial services institutions sell
personal data to third parties (see EPIC Alert 10.17.)

SB1 was signed by former Governor Gray Davis after a four-year
legislative battle.  It became law only after major financial services
companies, some of which have hundreds or even thousands of
affiliates, dropped their opposition to the legislation.  However,
those companies later attempted to eliminate SB1's protections by
preempting the law at the federal level in passing amendments to the

In holding that SB1 was not preempted by federal law, the Court
reasoned that the FCRA does not trump all state laws regulating
information sharing by affiliates.  Rather, the FCRA pertains only to
the sharing of consumer reports among affiliates; that is, information
that is used for an enumerated purpose of the FCRA, such as credit

The court found that the Gramm-Leach-Bliley Act was the controlling
law for the regulation of affiliate information sharing.  That law, as
a result of the "Sarbanes Amendment," preserves the right of states to
pass more stringent protections for personal information that is
exploited by financial services companies.

California's SB1 took effect on July 1, and contains substantial
monetary penalties for violation.  It appears as though the financial
services industry did not take steps to comply with the law, and as a
result, is likely to pursue an injunction to delay implementation of
the law and an expedited appeal.

The opinion in ABA v. Lockyer is available at:


SB 1, the California Financial Information Privacy Act:


EPIC Financial Privacy Resources:


[5] Voter Identification Bills Introduced in Congress

Two bills introduced in this session of Congress would place more
identification requirements on those seeking to register to vote. Rep.
Phil Gringrey (R-GA) has introduced H.R. 4174, a bill that would
require individuals to provide proof of United States citizenship as a
condition of registering to vote.  Rep. Henry Hyde (R-IL) has
introduced H.R. 4530, a bill that would require any person registering
or reregistering to vote to provide proof of citizenship.  H.R. 4530
directs states not to provide a ballot to any individual unless he
shows proof of citizenship. The states are to determine which
documents will be acceptable proof of citizenship under the advisement
of the Election Assistance Commission, Secretary of Homeland Security,
and Secretary of State.  The two bills have a total of eight
co-sponsors between them, with two members' names appearing on both

A trade-off in privacy exists in the legal requirement of voter
registration to participate in publicly held elections.  Voter
registration began its trek into common practice in the late 1890s,
when it was championed as a means of discouraging repeat voting and
the importation of voters from other jurisdictions to cast votes in
local and some state elections.  Each state is responsible for
administering voter registration within its boundaries.  Today, voter
registration forms may include requests for name, current and previous
address, home and work telephone numbers, birthplace, Social Security
number, birth date, race, gender, and party affiliation.

The Help America Vote Act, which became law in October 2002, requires
voter registrants to submit proof of identity by providing a state
issued identity document or the last four digits of their Social
Security number.  Since 1997, non-citizens may be deported for voting
in local, state, or federal elections.

HAVA also establishes a computerized statewide voter registration list
requirement.  Each state's election officer is directed to create a
uniform centralized interactive computerized statewide voter
registration list.  The list is to be defined, maintained, and
administered at the state level and contains information for every
legally registered voter in each state.  Under this system, the law
directs that a "unique identifier" is to be assigned to each legally
registered voter in a state.  Further, the law directs that the list
should be coordinated with other agency databases within the state.
The system must be designed to allow any election official in the
state, including local election officials, to obtain immediate
electronic access to the information contained in the voter
registration database.  The system must also allow unlimited access to
any local election official to the computerized list.  This list will
serve as the official index of registered voters for any federal or
state election.

The law does require that the appropriate state or local official
shall provide adequate technological security measures to prevent
unauthorized access to the computerized list.

H.R. 4174:


H.R. 4530:


The Help America Vote Act is available at:


National Committee for Voting Integrity:


For more information about voter privacy, see EPIC's Voting Page:


[6] News in Brief


The Federal Trade Commission has charged Gateway Learning Corp., maker
of Hooked on Phonics products, with violating federal law by renting
out personally identifiable consumer information collected through its
web site to direct marketers in violation of the company's privacy
policy.  The company had changed its privacy policy to allow sale of
personal information, and attempted to apply the new policy
retroactively without first obtaining customers' consent for data
exploitation.  The Commission noted that the disclosure included
information provided directly to the company by consumers who bought
Hooked on Phonics, including names, addresses, phone numbers, and age
ranges and gender of the consumers' children.

To settle the Commission's claims, Gateway has agreed not to make
deceptive claims about how it will use consumer information in the
future, promised not to make material changes to its privacy policy
retroactively without obtaining consumers' consent, and forfeited the
$4,608 it earned from leasing the consumer information.

Federal Trade Commission press release:


In the Matter of Gateway Learning Corp.:



In a follow-up letter to testimony on enhancing Social Security number
(SSN) privacy, EPIC and U.S. PIRG detailed the role that the SSN plays
in identity theft.  EPIC and U.S. PIRG explained to the House Ways and
Means Subcommittee on Social Security that widespread business and
government use of the SSN contributes to identity theft.  The letter
highlighted bad privacy practices, including the general use of the
SSN as both an identifier and an authenticator, and sloppy credit
granting practices where creditors facilitate identity theft by
opening new accounts in victim's names.  The letter also argued that
private investigators and others who have access to SSN databases
should be subject to the full privacy responsibilities established by
the Fair Credit Reporting Act.

EPIC's Letter on SSN and Identity Theft:


EPIC Testimony on SSN Privacy:


For more information about the role of Social Security Numbers in
identity theft, see EPIC's SSN Privacy Page:



European Parliament President Pat Cox has announced his decision to
ask the European Union Court of Justice to annul the Council of
Europe's agreement between the European Community and the United
States, allowing for transfer of Passenger Name Record (PNR) data on
EU citizens to the U.S. Department of Homeland Security Bureau of
Customs and Border Protection.  Cox will also appeal the European
Council's finding that the Bureau ensures adequate protection of
transferred PNR data, satisfying the EU's Data Protection Directive
(EU Directive 95/46/EC).  Mr. Cox said the request "reflects the
concern felt by a large majority in the European Parliament on the
need to defend European citizens' fundamental rights and freedoms ...
[B]oth the EU and the U.S. must guard against a new form of creeping

EU Commission's Decision on Adequacy:


EU-U.S. Agreement:


U.S.'s Undertakings:


For more information on the PNR transfer, see EPIC's Page on EU-U.S.
Airline Passenger Data Disclosure:



The House Energy and Commerce Committee has voted 45-4 in favor of an
anti-spyware bill, setting the stage for its consideration by the full
House.  The bill, termed the SPY ACT (Securely Protect Yourself
Against Cyber Trespass Act), was passed after several changes were
made to the original draft sent up by the House Subcommittee on
Commerce, Trade, and Consumer Protection.

The original draft of the bill prohibited deceptive practices related
to spyware such as hijacking a computer's functions, changing
homepages without authorization, and surreptitious keystroke logging.
It also regulated "information collection programs" by mandating
express consent before installation, the provision of an uncomplicated
disabling function, and the disclosure of the type and purpose of
collected information.  The Federal Trade Commission was charged with
enforcement and authorized to levy fines as large as $3 million for
certain violations.  Recent changes to the bill effectively exempt
software located on servers from SPY ACT regulation, while also
providing an explicit exemption for monitoring software used by
network providers for security and anti-fraud purposes.  The changes
also allow bundled multiple information collection programs to seek
user approval via a single notice, and water down the definition of
when there is a change in collected information for which new user
notice and consent will be required.  The bill's sunset date has also
been extended by a year to December 31, 2009.

The current version of H.R. 2929 is available at:



The National Committee on Voting Integrity, established to promote
voter-verified balloting and to preserve privacy protections for
elections in the United States, recently launched its web site,
www.votingintegrity.org.  The web site provides news about important
developments in voting practice and the Committee's continuing
activities, as well as an archive of letters, hearing testimony and
other public Committee statements.  The web archive includes the
Committee's recent written testimony to the U.S. Election Assistance
Commission hearing to review the use, security, and reliability of
electronic voting systems, and its letter congratulating Commission
Chairman Soaries for his "bold and decisive call for electronic voting
companies to make the underlying software code of electronic voting
technology available to election administrators." In addition, the web
site provides a valuable resource for researchers to familiarize
themselves with the key issues related to verifiable, private,
democratic elections.  Coverage includes direct record electronic
voting machines, the Help America Vote Act, and centralized voter
registration databases.

Visit the National Committee on Voting Integrity web site at:



The Anonymity Project has launched a web site that provides a
description of research areas, interviews with project members, and
other project information.  Although the project is
cross-disciplinary, it is based at the University of Ottawa, Faculty
of Law.  EPIC is a collaborator.  The project consists of three broad
research streams -- the nature and value of identity, anonymity and
authentication; the constitutional and legal aspects of anonymity; and
technologies that identify, anonymize and authenticate.  Research
results will be made publicly available on the web site.

Visit "On the Identity Trail: Understanding the Importance of
Anonymity and Authentication in a Networked Society" at:


[7] EPIC Bookstore: Jennifer Government

Max Berry, Jennifer Government (Vintage 2004).


"In Max Barry's twisted, hilarious vision of the near future, the
world is run by giant American corporations (except for a few deluded
holdouts like the French); taxes are illegal; employees take the last
names of the companies they work for; The Police and The NRA are
publicly-traded security firms; the U.S. government may only
investigate crimes if they can bill a citizen directly.  It's a free
market paradise!

"Hack Nike is a lowly Merchandising Officer who's not very good at
negotiating his salary.  So when John Nike and John Nike, executives
from the promised land of Marketing, offer him a contract, he signs
without reading it.  Unfortunately, Hack's new contract involves
shooting teenagers to build up street cred for Nike's new line of
$2,500 sneakers.  Scared, Hack goes to The Police, who assume he's
asking for a subcontracting deal and lease the assassinations to the

"Soon Hack finds himself pursued by Jennifer Government, a
tough-talking agent with a barcode tattoo under her eye and a rabid
determination to nail John Nike (the boss of the other John Nike).  In
a world where your job title means everything, the most cherished
possession is a platinum credit card, and advertising jingles give way
to automatic weapons in the fight for market share, Jennifer
Government is the consumer watchdog from hell."


EPIC Publications:

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"Privacy & Human Rights 2003: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty-five countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore

     "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

O'Reilly Open Source Convention.  July 26-30, 2004.  Portland, OR.
For more information: http://conferences.oreilly.com/oscon.

2004 UK Big Brother Awards.  Privacy International.  July 28, 2004.
London, UK.  For more information:

First Conference on Email and Anti-Spam.  American Association for
Artificial Intelligence and IEEE Technical Committee on Security and
Privacy.  July 30-31, 2004.  Mountain View, CA.  For more information:

Crypto 2004: The Twenty-Fourth Annual IACR Crypto Conference.
International Association for Cryptologic Research, IEEE Computer
Society Technical Committee on Security and Privacy, and the Computer
Science Department of the University of California, Santa Barbara.
August 15-19, 2004.  Santa Barbara, CA.  For more information:

Ninth National HIPAA Summit.  September 12-14, 2004.  Baltimore, MD.
For more information: http://www.HIPAASummit.com.

Public Voice Symposium: Privacy in a New Era: Challenges,
Opportunities and Partnerships.  Electronic Privacy Information
Center, European Digital Rights Initiative (EDRi), and Privacy
International.  September 13, 2004.  Wroclaw, Poland.  For more

The Right to Personal Data Protection -- the Right to Dignity.  26th
International Conference on Data Protection and Privacy Commissioners.
September 14-16, 2004.  Wroclaw, Poland.  For more information:

2004 Telecommunications Policy Research Conference.  National Center
for Technology & Law, George Mason University School of Law.  October
1-3, 2004.  Arlington, VA.  For more information:

Health Privacy Conference.  Office of the Information and Privacy
Commissioner of Alberta.  October 4-5, 2004.  Calgary, Alberta, Canada.
 For more information:

IAPP Privacy and Data Security Academy & Expo.  International
Association of Privacy Professionals.  October 27-29, 2004. New
Orleans, LA.  For more information:

Privacy and Security: Seeking the Middle Path.  Office of the
Information & Privacy Commissioner of Ontario; Centre for Innovation
Law and Policy, University of Toronto; and Center for Applied
Cryptographic Research, University of Waterloo.  Toronto, Ontario,
Canada.  October 28-29, 2004.  For more information:

CFP2005: Fifteenth Annual Conference on Computers, Freedom and
Privacy.  April 12-15, 2005.  Seattle, WA.  For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information, see
http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite
200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.  Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 11.13 ----------------------