EPIC logo

                         E P I C  A l e r t
Volume 11.22                                         November 18, 2004

                          Published by the
            Electronic Privacy Information Center (EPIC)
                          Washington, D.C.


Table of Contents

[1] EPIC Releases 2004 Privacy & Human Rights Report
[2] Agency Orders 72 Airlines to Turn Over Passenger Information
[3] EPIC Joins Coalition to Support Privacy in Email Intercept Case
[4] Government Report Finds SSNs in Many State, County Records
[5] FTC Proposes Major Telemarketing Loophole
[6] News in Brief
[7] EPIC Bookstore: Privacy & Human Rights 2004
[8] Upcoming Conferences and Events

[1] EPIC Releases 2004 Privacy & Human Rights Report

The Electronic Privacy Information Center and Privacy International
released the seventh annual Privacy & Human Rights survey on November
17.  This report reviews the state of privacy in more than sixty
countries around the world.  It outlines legal protections for privacy
and new challenges, and summarizes important issues and events
relating to privacy and surveillance.

The 2004 survey points to several key global developments that have
taken place in the last year, from the establishment of traveler
profiling systems, the creation of biometric IDs and smart cards to
the use of radio frequency identification technologies, video
surveillance, and DNA and health information databases.  Government
authorities and private companies have increased their use of these
new technologies and been keen on setting up sophisticated
identification and surveillance of their citizens, customers and

As the use of such technologies has increased, many countries around
the world have pursued policy and legislative efforts to respond to
the threat of terrorism.  These efforts are intended to provide law
enforcement and national security agencies with more tools of control
and intensify collection of information and data sharing, thanks to a
growing cooperation between government agencies and the private
sector, while limiting means of oversight of those practices.

Several governments, the United States government taking the lead,
have deployed new measures to facilitate the identification and
tracking of people traveling across country borders, from passenger
prescreening and profiling systems to biometric travel documents and
databases for foreigners.  Many governments have established new
national ID schemes.  Others have revived schemes that were rejected
in the past due to lack of public support or legitimacy, covering
first foreigners and minority populations, and extending them later to
all citizens.

Video surveillance, smart cards and DNA databases also present growing
risks to individuals' privacy, as do the use of radio frequency
identification technologies in the private and public sectors. Some
criticisms of these new technologies focus on the lack of adequate
data protection laws in the countries in which they are used.  Others
question the increasing number of purposes for which these
technologies are used regardless of the motives that originally
justified their deployment.

Opposition to these technologies has been voiced by numerous
stakeholders. National parliaments have questioned the legitimacy of
some of the technologies or their presumed effectiveness.  Data
protection authorities have issued reports and filed complaints to
pinpoint ethical, legal and social implications for citizens' civil
liberties and privacy rights.  Human rights groups have organized
coalitions to oppose some of the most intrusive surveillance

Progress for privacy is also noticeable in the 10 new European Member
States, mostly in Eastern Europe, where the EU Data Protection
Directive has been transposed in the legal framework.  Furthermore,
Asian and Latin American countries have passed new privacy legislation
to tackle the potential misuse of personal information by new

To learn more about the report or purchase copies, visit the EPIC


The report is also available online at Privacy International's web


[2] Agency Orders 72 Airlines to Turn Over Passenger Information

The Transportation Security Administration has demanded that 72
airlines turn over a month's worth of passenger data to test the
Secure Flight passenger prescreening program.  The airlines have been
told they must give the agency all Passenger Name Records (PNRs) from
June 2004 domestic flights by November 23.

The order will affect PNRs of about 50 million passengers.  Data that
will be disclosed to the government may include such sensitive
information as credit card numbers, travel itineraries, addresses,
telephone numbers and meal requests, which could reveal a passenger's
religion or ethnicity.

TSA has exempted the information collected during the test phase of
Secure Flight from important protections provided by the Privacy Act,
such as judicially enforceable rights to access and correct personal
data.  The agency has also exempted the test phase from the Privacy
Act requirement that the government maintain only information that is
"relevant and necessary" to perform the test phase.

As proposed by the TSA, Secure Flight will compare PNRs against
information compiled by the Terrorist Screening Center, which will
include expanded "selectee" and "no fly" lists.  TSA will also seek to
identify "suspicious indicators associated with travel behavior" in
passengers' itinerary PNR data.  Furthermore, the agency is planning
to test the use of commercial databases to verify the accuracy of
information provided by travelers.

TSA received about 500 comments from the public last month in response
to the Secure Flight proposal.  Most of those who commented voiced
concern about Secure Flight's implications for privacy and other civil

Under the recently passed Department of Homeland Security
Appropriations Act of 2005, no funding may be used to deploy Secure
Flight until the Government Accountability Office examines the privacy
implications and other aspects of the program. The GAO must submit its
report on Secure Flight to Congress no later than March 28, 2005.

TSA's order to airlines to turn over June 2004 PNRs:


For more information about passenger prescreening, see EPIC's
Passenger Profiling Page:


[3] EPIC Joins Coalition to Support Privacy in Email Intercept Case

EPIC joined five civil liberties groups to file a "friend of the
court" brief encouraging the First Circuit Court of Appeals to
overturn a controversial ruling on email privacy.

In June, a three-judge panel held in United States v. Councilman that
an email service provider did not violate criminal wiretap laws by
acquiring users' incoming emails without their knowledge or consent to
gain a commercial advantage over a competitor.  Because the emails
were not actually in wires or cables between computers when accessed,
but were instead temporarily stored on the service provider's computer
system, the panel found the emails could not have been "intercepted"
in violation of wiretap law.  The First Circuit has withdrawn the
panel decision and is reconsidering the case.

The civil liberties groups' brief argued that the panel's decision
creates serious constitutional questions under the Fourth Amendment
guarantee against unreasonable search and seizure. The brief was also
joined by the Center for Democracy and Technology, Electronic Frontier
Foundation, American Civil Liberties Union, American Library
Association, and Center for National Security Studies.

Senator Patrick Leahy (D-VT) also filed an amicus brief discussing
what Congress had in mind when it extended legal protections to email
in 1986.  Senator Leahy, the sponsor of the Senate version of the
legislation that became the Electronic Communications Privacy Act,
argued that the panel's decision fails to recognize Congress' intent
to protect the privacy of electronic communications when the Act was
passed, and should be reversed.

Five technical experts also filed a brief in favor of Internet
privacy, explaining that email should receive full legal protection
while in transmission. "Internet-based mail services clearly
distinguish between the routine storage that occurs when a message
reaches its destination . . . and the temporary 'storage' that occurs
as electronic mail moves in many discrete steps from sender to
recipient," the brief argued.  The technical experts endorsing the
brief were Dr. Whitfield Diffie, Chief Security Officer of Sun
Microsystems; Dr. Edward W. Felten, Professor of Computer Science at
Princeton University; Dr. John R. Levine, Chair of the Internet
Research Task Force Anti-Spam Research Group; Dr. Peter G. Neumann,
Principal Scientist in the Computer Science Lab at SRI International;
and Dr. Bruce Schneier, Chief Technical Officer of Counterpaine

The First Circuit will hear oral arguments in the rehearing next

Amicus brief filed by civil liberties groups:


Amicus brief filed by Senator Leahy:


Amicus brief filed by technologists:


For more information about the case, see EPIC's United States v.
Councilman Page:


[4] Government Report Finds SSNs in Many State, County Records

The Government Accountability Office, the investigative arm of
Congress, has released a report finding that Social Security Numbers
(SSNs) "are widely exposed to view in a variety of public records,
particularly those held by state and local government."  The GAO
estimated that "individuals' SSNs are displayed in some public records
in 80 to 94 percent of U.S. counties."  The GAO also found that
agencies in "41 states as well as the District of Columbia reported
holding at least one type of public record that shows the SSN."  SSNs
were most frequently found in court and property records.

SSNs were less likely to be found in the public records of federal
executive agencies because of protections provided by the Privacy Act.
However, the GAO did report finding SSNs in some federal court

These findings are important because the presence of SSNs in public
records "increases the likelihood that they will be misused for
inappropriate mining of personal information, violation of privacy,
and identity theft."  Indeed, public records are a major source for
personal information used by data brokers and direct marketers.  Once
personal information appears in a public record, some data brokers can
collect, use, and disclose the information without any privacy
obligations.  There is also a risk that identity thieves will mine
public records in order to locate new victims.

The report also noted that 57 million identification cards bearing a
full SSN have been issued by the federal government to employees and
individuals in benefits programs or the military.  The GAO reported
that the practice "puts cardholders at risk for identity theft due to
the increased potential for accidental loss, theft, or visual
exposure."  The GAO recommended that the government investigate SSN
display on identification cards and develop a unified approach to
addressing the problem.

The report was requested by Representative Clay Shaw (R-FL), the
Chairman of the Ways and Means Subcommittee on Social Security.  Rep.
Shaw has been a consistent supporter of greater privacy protections
for SSNs.

Government Accountability Office, Social Security Numbers: Governments
Could Do More to Reduce Display in Public Records and on Identity


For more information about the privacy of Social Security Numbers, see
EPIC's SSN Page:


For more information about public record privacy, see EPIC's Public
Records Page:


[5] FTC Proposes Major Telemarketing Loophole

The Federal Trade Commission has proposed to create a loophole in
telemarketing regulations that will allow companies to deliver
"prerecorded message telemarketing" to their existing customers.  This
type of telemarketing also leaves "answering machine spam," unwanted
messages on voicemail.  Even those enrolled in the Do-Not-Call
Registry will be affected by the proposed loophole.

Under the proposal, companies could call their current customers and
play a recorded message.  The message would have to give the consumer
an opportunity to opt out of the calls, either by pressing a button or
by calling a toll-free number.  The key to the proposal is the
definition of businesses' "current customers."  Under the Do-Not-Call
Regulations, a business relationship exists whenever an individual
makes an inquiry about or buys any product or service.  Inquiries
create a relationship for three months; purchases for eighteen. During
that period, the company can make telemarketing calls even if the
individual is enrolled in the Do-Not-Call Registry, and the individual
must opt out of each business relationship individually. Technically,
under the regulations, buying a cup of coffee creates a business
relationship that permits telemarketing for eighteen months.

The Commission's proposal comes at a time where technology and
business practices could create the "perfect storm" for a barrage
unwanted telemarketing and answering machine spam.  Technologically,
with Internet telephony (VoIP), it now is easier and less expensive to
use a regular computer to initiate automated, prerecorded voice calls.
Additionally, many retail businesses are asking for identification
information at the point of sale.  Companies collecting this
information could exploit this loophole to send volumes of prerecorded
telemarketing and answering machine spam.

In proposing this loophole, the Commission is acting on a petition
brought by the Voice Mail Broadcasting Corporation, a company that
automates the delivery of messages to answering machines.  A news
article from 1999 indicates that the company could make 1.5 million
calls a day.  If the loophole is accepted, other companies are likely
to clone the practice, resulting in an increase of unwanted

EPIC and a coalition of privacy groups will file formal comments on
the loophole, stressing that individuals can opt in to this form of
telemarketing if they choose, but that a mere business relationship
should not authorize companies to deliver prerecorded messages.  The
Commission is accepting comments until January 10, 2005.

Proposed amendment to the telemarketing sales rule:


Anyone may comment on this loophole by visiting the FTC comment web


[6] News in Brief


Giving in to the House in negotiations over legislation to implement
the recommendations of the 9/11 Commission, the Senate agreed to allow
the government's intelligence budget to remain classified. This
decision undermines the Commission's finding that Congressional
oversight of intelligence must be improved, and supports a tradition
of secrecy and extensive classification that may frustrate public
oversight and press reporting on matters of national interest.

In exchange for this compromise with the House, the legislation would
now call for "exclusive" authority by the national intelligence
director over the National Intelligence Program budget.  Currently,
the defense secretary controls approximately 80 percent of funding for
government intelligence.

For more information about the Commission's findings, see EPIC's page
on the 9/11 Commission recommendations:



EPIC and Private Citizen, Inc. argued in a brief to the Georgia
Supreme Court that "junk faxing is simply electronic trespass as a
means to committing advertising by theft -- the electronic equivalent
of junk mail sent postage due."  In the case, Carnett's Inc. v.
Michelle Hammond, the court will determine whether individuals can
bring class action suits under the Telephone Consumer Protection Act,
a law that prohibits the sending of "junk faxes," unsolicited
commercial facsimile messages.  EPIC argued that class actions are
essential to the law's effectiveness, noting that junk faxers
collectively transmit two billion messages a year.  The brief also
argues that no "established business relationship" exemption exists
that would permit sending unwanted faxes.

Coalition brief on junk faxes:


For more information about junk faxing, see EPIC's Telemarketing and
Junk Fax Page:



Drug manufacturers will soon add radio frequency identification (RFID)
tags to bottles of prescription pills.  This move comes after the Food
and Drug Administration (FDA) issued voluntary guidelines lifting
restrictions on labeling that may have discouraged companies from
testing out the technology.  The RFID tags will be used to combat the
small but growing problem of prescription drug counterfeiting by
allowing tracking of wholesale drug products from manufacturers to
pharmacies. Tags will first be used in a test phase that will last
until December 31, 2007.  In February 2004, the FDA issued a report
entitled "Combating Counterfeit Drugs" which encouraged drugmakers to
use RFID chips on their products.

In a position statement issued in November 2003 on RFID technology,
almost 50 consumer privacy and civil liberties organizations around
the world found the use of RFID tags for tracking pharmaceuticals
acceptable as long as the tags help ensure the drugs are not
counterfeit, are handled properly and dispensed appropriately, and the
tags contained on or in the pharmaceutical containers are physically
removed or permanently disabled before being sold to consumers.

For more information about radio frequency identification technology,
see EPIC's RFID Page:



California has passed Proposition 69, a measure that requires a DNA
sample to be taken from every adult and juvenile convicted of a felony
and from every adult arrested on suspicion of murder or certain sex
crimes in the state.  The law will expand in 2009 to include
individuals arrested on suspicion of any felony and certain
misdemeanors. Retroactive provisions require that samples also be
obtained from some California prison inmates and parolees not covered
under previous law, which applies only to those convicted of serious
felonies.  The new law will add tens of thousands of new DNA profiles
to a statewide database, which in turn feeds into the FBI's national
DNA database.

For more information about DNA privacy, see EPIC's Genetic Privacy



The 15th annual conference on Computers, Freedom & Privacy takes place
from Tuesday, April 12, to Friday, April 15, 2005, in Seattle,
Washington.  The theme of the conference is "Panopticon."  The
conference's program committee is currently accepting proposals for
conference sessions and speakers.  Submit your ideas by December 31,

CFP 2005:


[7] EPIC Bookstore: Privacy & Human Rights 2004

Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments (EPIC 2004).


This annual report by EPIC and Privacy International reviews the state
of privacy in more than sixty countries around the world.  It outlines
legal protections, new challenges, and summarizes important issues and
events relating to privacy.  Privacy & Human Rights 2004 is the most
comprehensive report on privacy and data protection ever published.

The 2004 edition of Privacy & Human Rights documents the continued
expansion of government surveillance authority.  Many countries have
pursued new identification schemes, expanded monitoring of
communications, weakened data protection laws, and intensified data
transfers between the public and private sectors.

The 2004 Privacy & Human Rights report also finds continuing
opposition to traveler profiling systems, secret video surveillance,
smart cards, DNA and health information databases, and radio frequency
identification (RFID) technologies.  New topics for 2004 include
travel privacy, electronic voting, census, nanotechnologies, and the
World Summit on the Information Society.  The 2004 survey notes the
adoption of new data protection and open government laws, and includes
new country reports from Latin America, Africa, and Asia.


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

The 2004 Isaac Pitblado Lectures: Privacy -- Another Snail in the
Ginger Beer.  The Law Society of Manitoba, The Manitoba Bar
Association and the University of Manitoba Faculty of Law.  November
19-20, 2004.  Manitoba, Canada. For more information:

2004 Big Brother Awards Hungary.  November 25, 2004.  Budapest,
Hungary.  For more information: http://hu.bigbrotherawards.org.

Africa Electronic Privacy and Public Voice Symposium.  The Public
Voice.  December 6, 2004.  Capetown, South Africa.  For more
information: http://www.thepublicvoice.org/events/capetown04.

National Security, Law Enforcement and Data Protection.  British
Institute of International and Comparative Law Data Protection
Research and Policy Group.  December 8, 2004.  London, UK.  For more
information: http:www.biicl.org.

3rd Annual Digital Rights Management Conference 2005.  Ministry of
Science and Research of the State Northrhine Westfalia, Germany. 
January 13-24, 2005.  Berlin, Germany.  For more information:

12th Annual Network and Distributed System Security Symposium. The
Internet Society.  February 3-4, 2005.  San Diego, CA.  For more
information: http://www.isoc.org/isoc/conferences/ndss/05/index.shtml.

14th Annual RSA Conference.  RSA Security.  February 14-18, 2005.  San
Francisco, CA.  For more information:

The World Summit on the Information Society PrepCom 2.  February
17-25, 2005.  Geneva, Switzerland.  For more information:

The Concealed I: Anonymity, Identity, and the Prospect of Privacy.  On
the Identity Trail and the Law and Technology Program at the
University of Ottawa.  March 4-5, 2005.  Ottawa, Canada.  For more
information: http://www.anonequity.org/concealedI.

O'Reilly Emerging Technology Conference.  March 14-17, 2005.  San
Diego, CA.  For more Information:

7th International General Online Research Conference.  German
Society for Online Research.  March 22-23, 2005.  Zurich, Switzerland.
For more information: http://www.gor.de.

5th Annual Future of Music Policy Summit.  Future of Music
Coalition.  April 10-11, 2005.  Washington DC.  For more information:

CFP2005: Fifteenth Annual Conference on Computers, Freedom and
Privacy.  April 12-15, 2005.  Seattle, WA.  For more information:

2005 IEEE Symposium on Security and Privacy.  IEEE Computer Society
Technical Committee on Security and Privacy in cooperation with The
International Association for Cryptologic Research.  May 8-11, 2005.
Berkeley, CA.  For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing. 
Technical Committee on Security & Protection in Information Processing
Systems with the support of Information Processing Society of Japan. 
May 30-June 1, 2005.  Chiba, Japan.  For more information:

3rd International Human.Society@Internet Conference.  July 27-29,
2005.  Tokyo, Japan.  For more information: http://hsi.itrc.net.

The World Summit on the Information Society.  Government of Tunisia.
November 16-18, 2005.  Tunis, Tunisia.  For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information, see
http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite
200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.  Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 11.22 ----------------------