EPIC logo

                          E P I C  A l e r t
Volume 12.02                                         January 27, 2005

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


Table of Contents

[1] EPIC Hosts Annual Privacy Coalition Summit
[2] EPIC FOIA Suit Reveals FBI Kept Millions of Passenger Records
[3] Inauguration Day Puts DC Under Unprecedented Surveillance
[4] Acxiom Lobbied for Broad Exemptions to Privacy Law After 9/11
[5] EPIC Urges Privacy Protections for Federal Employee ID Card
[6] News in Brief
[7] EPIC Bookstore: Prying Eyes
[8] Upcoming Conferences and Events

[1] EPIC Hosts Annual Privacy Coalition Summit

The Privacy Coalition's annual meeting took place in Washington, DC on
January 20-22.  Over 30 state and national organizations comprised of
privacy, civil rights and civil liberties experts gathered to assess
the impact of emerging technology on privacy, government policy, and
business activity over the past year.  The group also assessed the
privacy climate for 2005.

Panel discussions covered a wide range of challenges to civil
liberties, consumer rights, new technology and international
developments in privacy policy.  The challenges faced by civil rights,
civil liberties, and privacy advocates are not just domestic but
international.  It is anticipated that as technology is introduced in
the form of radio frequency identification (RFID), biometric
identification systems, and the incorporation of global positioning
systems (GPS) in consumer products the lines between public and
private activity will continue to blur.  The goal of many government
actions post 9/11 has been to make surveillance more efficient and to
encourage the mutual exchange of data on citizens among nations.

The meeting was an opportunity for privacy experts specializing in a
wide range of areas to teach and learn from each other in an intense
mini-course environment.  Those invited to join this annual gathering
are experts in their fields, which makes the summit unique and a
highly valued experience.  For more information on the Privacy
Coalition or joining this distinguished group, send your request to

Privacy Coalition web site:


EPIC 2004 Privacy Year in Review/Issues to Watch:


[2] EPIC FOIA Suit Reveals FBI Kept Millions of Passenger Records

EPIC's Freedom of Information litigation has revealed that the FBI is
keeping 257.5 million records on people who flew on commercial
airlines prior to the 9/11 terrorist attacks in its permanent
investigative database.  The data retained by the FBI come from
Passenger Name Records (PNR), which may include credit card numbers,
travel itineraries, and meal requests.

In a sworn declaration explaining why the FBI made heavy redactions in
documents released to EPIC in September, the Bureau noted that it
obtained the passenger records from a number of airlines shortly after
September 11, 2001.  The FBI also obtained passenger data from one
airline through a federal grand jury subpoena.  Citing privacy
concerns, the FBI refused to name the airlines that turned over
passenger records, the airline employees who disclosed it or the FBI
special agents who collected it.

The declaration explains the data were stored and combined with other
information from PENTTBOMB, the FBI's investigation into the 9/11
attacks.  "[T]he Airline Data Sets have been entered by the Cyber
Division into a 'Data Warehouse' and have been intertwined for
analytical purposes with the information from several other PENTTBOMB
Data Sets," the declaration stated.

Another EPIC FOIA lawsuit revealed last year that the FBI obtained one
full year's worth of passenger data from Northwest Airlines after
9/11.  The document revealed that the amount of personal data was so
vast that the airline provided it to the FBI on 6000 CDs.  In an
article based upon this information, the New York Times confirmed that
the Bureau had acquired passenger data not only from Northwest, but
from other U.S. air carriers, as well.

Declaration from the FBI:


FBI documents on collection of passenger data from airlines:


For more information on privacy of passenger data, see EPIC's
Passenger Profiling Page:


[3] Inauguration Day Puts DC Under Unprecedented Surveillance

President Bush's Inauguration on January 20 took Washington, DC to a
new level of surveillance.  Law enforcement conducted live video
surveillance from helicopters and used hundreds of video cameras
installed around the U.S. Capitol and along the parade route to
monitor the crowd and demonstrators.

Most of the video surveillance monitoring technology in DC was
deployed well before 9/11, prior to any threat of potential terrorist
attacks.  The DC Metropolitan Police Department (MPD) originally
installed cameras throughout the city to monitor demonstrators without
notifying the DC Council until the cameras were installed, thereby
denying the public a meaningful opportunity to comment. In 2002, EPIC
obtained documentary evidence under the Freedom of Information Act
that DC's surveillance equipment is mainly directed toward
demonstrators. In the last few years the MPD, FBI, and other law
enforcement agencies used live video surveillance from helicopters
mainly to control peaceful demonstrations.

In 2004, a DC Council report found that the MPD maintained widespread
and extensive spying operations on political advocacy organizations
based on their political philosophies and conduct protected under the
First Amendment, even in the absence of allegations of criminal
activity.  The Council recommended legislation to restrict MPD
surveillance of political organizations and preemptive arrests of

These findings underscore the need for public vigilance and oversight
to make sure that new tools of surveillance do not impinge on
demonstrators' civil liberties, are used for proper purposes and not
subsequently used for illegitimate objectives.  The remote
surveillance of political demonstrators raises important First
Amendment issues: although police surveillance of protestors does not
constitute a direct ban on demonstration activities, images could be
used in retaliation against individuals for their political views and
chill protestors' freedom of speech, assembly and association.

Although the use of surveillance cameras raises far-reaching
constitutional questions that implicate the rights of people who
engage in peaceful public protest, video surveillance is not
regulated.  In DC, the U.S. Park Police and the MPD use video cameras
only subject to two weak guidelines, one of which was not even
submitted to the public for comment.  In testimony before Congress and
the DC Council, EPIC and other civil liberties groups have
consistently advocated that better privacy safeguards are necessary,
and that the use of video surveillance, if it sweeps broadly across
innocent activity and has an impact on First Amendment rights, must be
regulated at least as stringently as surveillance of electronic

EPIC has documented the growing expansion of video surveillance in
Washington through its Observing Surveillance Project:


For more information about law enforcement use of video surveillance,
see EPIC's Video Surveillance Page:


For more information about surveillance of protestors, see EPIC's
Protestor Privacy and Free Expression Rights Page:


[4] Acxiom Lobbied for Broad Exemptions to Privacy Law After 9/11

EPIC has obtained documents showing that commercial data broker Acxiom
lobbied to water down key federal privacy laws immediately after the
September 11, 2001 terrorist attacks.  Acxiom sought broader access to
"credit headers" and drivers information to develop a system for
"identity and information verification that can be used by
organizations such as airlines, airports, cruise ships, and large
buildings and other applications to better determine whether a person
is actually who they say they are."

The documents consist mainly of notes prepared by Department of
Justice staff detailing conversations and communications between then
Attorney General John Ashcroft and Acxiom president Charles Morgan and
company attorney Jerry Jones.  According to the documents, Morgan and
Jones approached the Department of Justice on several occasions to
discuss "amendments to the Gramm Leach Bliley (GLB) and the Drivers
Privacy Protection Act (DPPA)" to accommodate a developing system for
"identity and information verification."  The documents also reference
107 H.R. 1447, the Aviation Security Act, which ultimately became law
without Acxiom's proposed amendments.  It also appears that Acxiom
courted Senator Blanche Lincoln (D-AR) and former Senator Tim
Hutchinson (R-AR) to support the amendments.

The Acxiom amendments would have created large loopholes in federal
privacy legislation.  For instance, Acxiom's amendments to the DPPA
would have allowed state motor vehicle administrations to release
Social Security numbers, photographs, and possibly biometric
information to any government agency or business "in order to
authenticate the identity or information relating to an individual."
That language is broad enough to justify release of drivers'
information for almost any transaction, down to opening an account at
a video rental store.

The Acxiom language to amend the Gramm-Leach-Bliley Act would have
created a broad exemption allowing disclosure of non-public personal
information not only for anti-terrorism purposes, but also to
authenticate "information provided by or concerning a consumer."  The
provision would have superceded state law, and information falling
within this exemption would not have been subject to the Fair Credit
Reporting Act. Because the proposed amendments allowed authentication
for "legitimate commercial purposes," the language would have
permitted use of "credit headers," compilations of personal
identification information, for even minor transactions.

EPIC documents on Acxiom's lobbying and proposed amendments:


EPIC staff publication, Big Brother's Little Helpers:


[5] EPIC Urges Privacy Protections for Federal Employee ID Card

In response to a Department of Homeland Security directive, the
National Institute for Science and Technology (NIST) is developing an
ID system for federal employees and contractors.  The directive calls
for the development of a mandatory, government-wide standard for
secure and reliable forms of identification issued by the federal
government to its employees and contractors.  In response, NIST has
created a set of Federal Information Processing Standards (FIPS 201)
known as the Personal Identity Verification Project. Outcry by the
public and federal employee unions prompted NIST to hold a public
meeting on January 19 to discuss privacy concerns in the
implementation of federal employee ID cards.

At the meeting, EPIC Policy Analyst Frannie Wellings told NIST and the
Office of Management and Budget that while one of the functional
objectives of the proposal is to "protect the privacy of the
cardholder," the standard they have developed does not include
adequate safeguards to accomplish this goal.  Wellings urged that a
privacy impact assessment must be performed for the proposal
immediately, and that Fair Information Practices should be a minimal
baseline for protecting employee information.  She argued that NIST
must incorporate privacy protections into the decisionmaking process
now rather than awkwardly and inefficiently adjusting the standard

Wellings noted that the standard's problems are numerous, including an
overextensive scope of data collection and storage.  Data minimization
would reduce the likelihood that the card will be used for unrelated
or potentially risky purposes.  The standard also involves contactless
cards that use radio frequency identification (RFID).  RFID poses a
security risk, allowing for remote and covert monitoring.  The
security of the information collected, displayed and made accessible
on the card requires a high level of security on the card itself as
well as oversight and privacy training for all employees accessing,
controlling, and storing the data.

Wellings also stated that the proposal must include explicit policies
limiting the collection, access and use of the data by government
agencies and the private sector.  This standard could lead to the
development of a large centralized bank of personal information, with
no guarantees on how government agencies or private contractors will
use the data.  Federal employees and other cardholders will not know
how each agency is using this information.  Furthermore, data
aggregated for specific security purposes intended to combat terrorism
might be used for unrelated purposes.

Wellings also pointed out that the standard creates the potential for
agencies to track employee movement within federal buildings,
including visits to other offices or possibly to a union office.  As
the cardholder uses the card to access various areas, a record of
these movements can be retained, creating a high volume of data about
the movements of federal employees, which could be exploited.  In
addition, if an employee is wrongly identified as a terrorist or if
her information is used inappropriately, the proposal currently
provides no methods of redress.

Wellings recommended that before this standard is further developed,
NIST must conduct a privacy impact assessment, reduce the data
collected and stored in accordance with Fair Information Practices,
and cardholders must be provided with legally enforceable rights. In
order to protect the privacy of federal employees who are dedicating
themselves to public service, legislation will be necessary to enforce
employees' rights under the proposal.

For more information on employees' privacy rights, see EPIC's
Workplace Privacy Page:


More Information on biometrics, see EPIC's Biometrics Page:


Homeland Security Presidential Directive (HSPD-12) requiring the
development of an ID system for federal employees and contractors:


Personal Identity Verification Project:


[6] News in Brief


Secrecy News reports that the Department of Homeland Security has
decided to stop making its employees sign non-disclosure agreements to
gain access to unclassified information that is marked "for official
use only" or "sensitive but unclassified."  The non-disclosure
agreements drew opposition from employees' unions and others partly
because they gave the government extraordinary power to "conduct
inspections at any time or place for the purpose of ensuring

Department of Homeland Security Management Directive 11042.1,
"Safeguarding Sensitive by Unclassified (For Official Use Only)


Intra-agency memorandum on Management Directive 11042.1, "Safeguarding
Sensitive by Unclassified (For Official Use Only) Information":



As the annual volume of junk mail approaches that of normal, first
class missives, Private Citizen and a coalition of privacy groups have
called upon legislators to reform privacy protections against unwanted
commercial postal mail.  The groups wrote: "While American residents
now enjoy substantial federal protection from telemarketing sales
calls . . . the U.S. Postal Service has not made significant strides
to reduce unwanted junk mail."  The groups continued: "To illustrate
the environmental, and privacy impact of . . . one segment of the junk
mail industry last year, consider that if each of the 5,340,243,500 .
. . trashed credit card mailings weighed just two-thirds of an ounce.
The aggregate wasted tonnage of those trashed mailings would exceed
the weight of a battle ready NIMITZ Class aircraft carrier."

The groups called for a national do-not-mail list, similar to the
registry now running for telemarketing; a no junk mail sticker for
mailboxes that would allow individuals to mark their preference not to
receive "saturation" junk mail; improvements to existing methods of
blocking mail from a certain company; an opt-out under the "National
Change of Address" program, which would stop junk mailers from getting
addresses of movers; and a change to the "Cooperative Mail Rule,"
which allows for-profit mailers to partner with non-profit
organizations to send mail at a lower postage rate.

Coalition letter calling for do-not-mail postal privacy reform:


USPS 2004 Annual Report, showing the volume of junk mail and standard


For more information about junk mail, see EPIC's Postal Privacy Page:



Federal Communications Commission Chairman Michael Powell,
Commissioner Kathleen Abernathy, and Media Bureau Chief Kenneth Ferree
have all announced they are stepping down from their posts.  In the
coming year, the Commission will continue to deal with questions of
wiretapping, broadband access and privacy, and restrictions on
telemarketing.  It remains to be seen whether the White House and
Congress will select a Chairman and Commissioner who will respond to
the strong public support for freedom of expression without
surveillance and for non-commercial use and public ownership of
communications channels.  Such public support has been demonstrated in
recent months by hundreds of thousands of comments filed on various
issues and public attendance at hearings held around the country.

More information about public opinion on privacy is available at:



In a letter to the American Association of Libraries, Google Watch has
noted that Google's agreement to digitize material for certain
libraries creates enormous potential for tracking.  Google Watch
urged, "those librarians who contract with Google for access to their
books and documents for purposes of digitization should require that
any future searches done on Google that produce this material, must
respect the anonymity of the searcher.  This would mean that Google
cannot record the IP address or unique ID from the cookie for such
searches.  Short of this, another alternative would be for libraries
to deny Google access to any literature that has political content or
relevance."  Google Watch continued, "the ALA is already involved with
discovery and lobbying on this issue with the Justice Department over
practices that grew out of the USA Patriot Act.  But keep in mind that
the scale of anything Google does is a million times larger than the
scale of anything that involves discrete libraries, access to paper
hard copy, and occasional subpoenas for specific information."

The letter also noted that Google has made commitments to five major
libraries to digitize much of the material in their catalogs -- and
has insisted that the libraries sign nondisclosure agreements in
exchange for the service.

Google Watch appeal to the American Library Association:



The Korean Personal Information Dispute Mediation Committee released
its 2004 Annual Report.  The report identifies the major privacy
issues as the release and sale of customers' personal information by a
mobile telecom company; the database-marketing of customers' personal
information; the enactment of the Fundamental Law on Protection of
Personal Information; the increased use of blogs and the opening of
private life to the public; and the leaking of personal information
through P2P and data retrieval sites.

The report is available online in English:


For more information on privacy issues in Korea, see Privacy and Human
Rights 2004:



The European Parliament's Committee on Civil Liberties, Justice and
Home Affairs will hold a public seminar on January 31 to discuss the
necessary steps and data for law enforcement activities, common
principles of protection for data used for security purposes, access
and re-use of private data for security purposes in the specific case
of air passengers, Internet users' data, and financial data.  The
hearing will feature many high level officials from European Union
data protection and security agencies.

European Parliament's Committee on Civil Liberties, Justice, and Home



Outside the Beltway, it is not well known that a Victoria's Secret
catalog is one of the key reasons that Congress included privacy
protections for financial information when passing the
Gramm-Leach-Bliley Act.  A new web page on epic.org explains how one
Member of Congress was very upset that he started receiving Victoria's
Secret catalogs at his home in Washington.  He was convinced that his
credit union sold his new address to Victoria's Secret, and as a
result, he supported an amendment to add privacy protections to
federal financial services law.

EPIC's Victoria's Secret and Financial Privacy Page:


[7] EPIC Bookstore: Prying Eyes

Eric Gertler, Prying Eyes: Protect Your Privacy From People Who Sell
to You, Snoop on You, or Steal From You (Random House Reference 2004).


"You leave an electronic trail every time you use a credit card, rent
a DVD, mail in a rebate form, go to the doctor, open a bank account,
or surf the Internet at home and at work.

"News stories about identity theft, anti-terrorist legislation,
cyber-stalking, marketing databases, and employer surveillance
practices are evidence that your privacy is violated more and more
every day. Using examples from real-life situations, Prying Eyes
reveals how, often without your knowledge, people use your personal
information to sell to you, snoop on you, and steal from you.

"Eric Gertler reveals how to minimize your exposure in every facet of
life­at home, at the office, on vacation, at the store, at the
doctor's office, online, and on your cell phone. Beyond reporting and
speculation, Prying Eyes will empower you to take charge of your
personal information before someone else does.

"You will learn:

* How information about your bank account, credit, and purchases is
tracked, stored, and accessed -- and how to limit your exposure.

* How to protect yourself from identity theft­and how to recover if
you've been a victim.

* Risks to your privacy at work -- why it is important to separate
your personal life from your business life.

* Threats to your medical files -- who has access to them how they're
commonly mishandled, and how to prevent information from getting into
the wrong hands."


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

       EPIC Bookstore

       "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

12th Annual Network and Distributed System Security Symposium. The
Internet Society.  February 3-4, 2005.  San Diego, CA.  For more
information: http://www.isoc.org/isoc/conferences/ndss/05/index.shtml.

14th Annual RSA Conference.  RSA Security.  February 14-18, 2005.  San
Francisco, CA.  For more information:

The World Summit on the Information Society PrepCom 2.  February
17-25, 2005.  Geneva, Switzerland.  For more information:

3rd International Conference of Information Commissioners.  Federal
Institute of Access to Information.  February 20-23, 2005.  Cancun,
Mexico.  For more information:

The Concealed I: Anonymity, Identity, and the Prospect of Privacy.  On
the Identity Trail and the Law and Technology Program at the
University of Ottawa.  March 4-5, 2005.  Ottawa, Canada.  For more
information: http://www.anonequity.org/concealedI.

The Health Information Technology Summit West. eHealth Initiative.
March 6-8, 2005.  San Francisco.  For more information:

IAPP National Privacy Summit 2005.  International Association of
Privacy Professionals.  March 9-11, 2005.  Washington, DC.  For more
information:  http://privacyassociation.org.

O'Reilly Emerging Technology Conference.  March 14-17, 2005.  San
Diego, CA.  For more Information:

Policy Options and Models for Bridging Digital Divides: Freedom,
Sharing and Sustainability in the Global Network Society.  March
14-15, 2005.  Project on Global Challenges of eDevelopment, Hypermedia
Laboratory, University of Tampere.  Tampere, Finland.  For more
information: http://www.globaledevelopment.org/forthcoming.htm.

7th International General Online Research Conference.  German
Society for Online Research.  March 22-23, 2005.  Zurich, Switzerland.
For more information: http://www.gor.de.

The 2005 Nonprofit Technology Conference.  Nonprofit Technology
Enterprise Network.  March 23-25, 2005.  Chicago, IL.  For more
information: http://www.nten.org/ntc.

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
April 4-8, 2005.  Mar del Plata, Argentina.  For more information:

VoIP World Africa 2005.  April 5-7, 2005.  Terrapinn.  Johannesburg,
South Africa.  For more information:

5th Annual Future of Music Policy Summit.  Future of Music
Coalition.  April 10-11, 2005.  Washington DC.  For more information:

CFP2005: Fifteenth Annual Conference on Computers, Freedom and
Privacy.  April 12-15, 2005.  Seattle, WA.  For more information:

2005 IEEE Symposium on Security and Privacy.  IEEE Computer Society
Technical Committee on Security and Privacy in cooperation with The
International Association for Cryptologic Research.  May 8-11, 2005.
Berkeley, CA.  For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information Processing
Systems with the support of Information Processing Society of Japan.
May 30-June 1, 2005.  Chiba, Japan.  For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005.  Luxembourg City, Luxenbourg.  For more information:

3rd International Human.Society@Internet Conference.  July 27-29,
2005.  Tokyo, Japan.  For more information: http://hsi.itrc.net.

The World Summit on the Information Society.  Government of Tunisia.
November 16-18, 2005.  Tunis, Tunisia.  For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005.  Vancouver, Canada.  For more
information: http://www.icann.org.

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information, see
http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite
200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.  Or you can
contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 12.02 ----------------------