EPIC logo

                             E P I C  A l e r t
Volume 12.05                                              March 11, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Launches West Coast Office, Continues to Probe ChoicePoint
[2] New Report: FTC Market Approach Fails to Protect Consumer Privacy
[3] "Spotlight on Surveillance" Highlights Federal Spending on Snooping
[4] EPIC Urges Careful Scrutiny of Proposed Federal Profiling Agency
[5] Comments Outline Voter Registration Problems in the 2004 Election
[6] News in Brief
[7] EPIC Bookstore: William S. Hubbartt's Workplace Privacy
[8] Upcoming Conferences and Events

[1] EPIC Launches West Coast Office, Continues to Probe ChoicePoint

EPIC launched a West Coast Office this month.  The office, located in
downtown San Francisco, will focus on state-based initiatives to
enhance consumer privacy.  Chris Jay Hoofnagle, formerly Associate
Director in EPIC's Washington office, will direct the new EPIC West

California and other states have developed innovative strategies to
privacy protection for Social Security numbers, identity theft, and
direct marketing.  For instance, California's security breach notice
law was responsible for forcing ChoicePoint to reveal its recent sale
of personal information to criminals.  EPIC West will leverage that
California law and others to promote model privacy protections for the
entire nation.

Serious questions continue to surround the sale of personal information
to criminals by ChoicePoint, a commercial data broker.  Last week, it
was revealed that ChoicePoint had also sold personal information to
criminals in 2002.  This week, security breaches were announced by
commercial data broker Seisint, and by retailer DSW Shoe Warehouse.
The continued news of new and old breaches has shifted the debate in
Washington from one where Congress was discussing whether a problem
exists, to one where legislators are focusing on what should be done.
Hearings on ChoicePoint will be held within the next week in the Senate
Banking Committee and the House Commerce and Ways and Means Committees.

Daniel J. Solove, a professor at the George Washington School of Law,
and Hoofnagle have published a proposal to address commercial data
brokers, and are requesting comment from the public on the draft.  The
"Model Privacy Regime" proposes sixteen reforms, including a
requirement that all commercial data brokers register with the Federal
Trade Commission so that individuals can learn about how their
information is used, gain access to it, and exercise other rights.
Because companies such as ChoicePoint trade in the same personal
information that is used for passwords in the credit system, the
proposal includes a call for a credit freeze right -- the ability of an
individual to prevent release of a credit report without specific
consent.  Also included in the regime is a requirement for law
enforcement to comply with specific procedures before gaining access to
a commercial data broker report on an individual.  Under current laws,
including the Fair Credit Reporting Act, law enforcement cannot gain
access to reports without showing a specific need; they should not be
able to get the same information from a commercial data broker without
complying with a similar set of procedures.

Model Privacy Regime for Commercial Data Brokers proposed by Solove and


For more information, see EPIC's ChoicePoint Page:


Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data
Brokers Collect, Process, and Package Your Data for Law Enforcement:


[2] New Report: FTC Market Approach Fails to Protect Consumer Privacy

In a policy report released last week, EPIC called upon the Federal
Trade Commission to abandon its self-regulatory approach to Internet
privacy.  For ten years, the FTC has maintained its faith in market
approaches to privacy, while business practices have become steadily
more invasive.  Self-regulation has led to a decade of disappointment;
one where Congress has been stalled and the public anesthetized, as
privacy practices have steadily worsened.

The report argues that the FTC is capable of creating reasonable and
effective privacy protections, as evidenced by the agency's Do-Not-Call
telemarketing registry.  Prior to the creation of the Registry, the
telemarketing industry created self-regulatory protections that were
largely useless.  One had to write a letter to opt out of
telemarketing, or pay to opt out by giving her credit card number to
the Direct Marketing Association (DMA). The industry's self-regulatory
efforts didn't even cover all telemarketers -- only those that were
members of the DMA.  At its peak, the self-regulatory opt-out system
had less then 5 million enrollments.  The FTC's regulatory approach to
telemarketing took the opposite approach in every fashion.  It is free
and easy to enroll in the government-created list, it applies to almost
all telemarketers, and its effectiveness is obvious -- the dinner hour
is preserved for the 80 million numbers enrolled in the Registry.

Just as the market failed to provide adequate protections against the
20th century problem of telemarketing, self-regulation is failing to
address the 21st century problems in electronic commerce.  New tracking
technologies exist that individuals are unaware of, and old tracking
technologies continue to be employed.  Some companies deliberately
obfuscate their practices so that consumers remain in the dark. 
Spyware has developed and flourished under self-regulation.  Emerging
technologies represent serious threats to privacy and are not addressed
by self-regulation or law.  And, while self-regulatory bodies have
busied themselves with the drafting of "short privacy notices," they
have not produced a single viable anonymous payment mechanism for

The report also notes that the worst identification and tracking
policies from the online world are finding their way into the offline
world.  In other words, the lack of protection for privacy online not
only has resulted in a more invasive web environment, but has also
started to drag down the practices of ordinary, offline retailers.  For
instance, offline retailers are engaging in more extensive profiling of
customers, including collection of information that allows businesses
to "fire" customers who complain too much.

The EPIC report concludes by urging the FTC to rethink the developments
of the past ten years in Internet privacy, and consider a baseline of
privacy protection for individuals that are consistent with Fair
Information Practices.

EPIC Report: Privacy Self-Regulation, A Decade of Disappointment:


A high-resolution PDF version of the report features advertisements for
personal data sold by major companies, including Victoria's Secret and


[3] "Spotlight on Surveillance" Highlights Federal Spending on Snooping

President Bush's proposed $2.57 trillion federal budget for Fiscal Year
2006 greatly increases the amount of money spent on surveillance
technology and programs while cutting about 150 programs -- most of
them from the Department of Education.  EPIC has launched a new project
called "Spotlight on Surveillance" which will scrutinize these
surveillance programs.

This month, "Spotlight on Surveillance" shines on Customs and Border
Protection's "America's Shield" initiative and finds that it is riddled
with holes.  The agency seeks $51.3 million in Fiscal Year 2006 for
this program, an upgrade of the existing Integrated Surveillance
Intelligence System.  America's Shield received $88.1 million in 2005
and the agency's estimate in August 2004 was that full budget requests
through 2010 would add up to $2 billion.

America's Shield uses video and sensor surveillance technology to watch
over America's borders in cities such as San Diego, California, and
Detroit, Michigan.  There are substantial problems with the America's
Shield initiative -- most significantly, the program's sensor equipment
wastes time and money because it cannot distinguish between humans and
animals.  This increase in spending on surveillance and monitoring
systems has not helped the agency's bottom line.  In 2000, the agency
made 1.6 million apprehensions; every year since then the number has
steadily fallen, now hovering around half that amount.

For more information, see EPIC's Spotlight on Surveillance Page:


EPIC's U.S. Domestic Spending on Surveillance Page:


[4] EPIC Urges Careful Scrutiny of Proposed Federal Profiling Agency

In a letter to a House subcommittee, EPIC urged careful scrutiny of the
Department of Homeland Security's proposed Office of Screening
Coordination and Operations (SCO).  EPIC explained to the House
Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity that this proposed federal profiling agency would oversee
vast databases of digital fingerprints and photographs, eye scans and
personal information from millions of American citizens and lawful
foreign visitors.

Homeland Security is requesting $847 million to finance SCO in Fiscal
Year 2006. The agency would house several of the Transportation
Security Administration's current surveillance programs, including
Registered Traveler, United States-Visitor and Immigrant Status
Indicator Technology (US-VISIT), Free and Secure Trade, NEXUS/Secure
Electronic Network for Travelers Rapid Inspection, Transportation
Worker Identity Credential, Hazardous Materials Trucker Background
Checks, and Alien Flight School Checks.

EPIC's letter stated that "[t]his mass compilation of personal
information has inherent dangers to citizens' privacy rights and it is
imperative that SCO fulfill its legal obligations for openness and
transparency under the FOIA and Privacy Act."  Homeland Security has
announced that the office's operations would be conducted in a manner
that safeguards civil liberties, but the agency has not yet explained
how it proposes to protect privacy rights or ensure accountability.
EPIC urged the subcommittee to press the agency to openly and
transparently explain how it intends to safeguard American citizens'
privacy rights under the proposed federal profiling agency.

EPIC letter to the House Subcommittee on Economic Security,
Infrastructure Protection, and Cybersecurity:


For more information about the proposed Fiscal Year 2006 budget, see
EPIC's U.S. Domestic Spending on Surveillance Page:


[5] Comments Outline Voter Registration Problems in the 2004 Election

EPIC submitted comments to the Election Assistance Commission on a
planned survey of states to determine their performance under National
Voter Registration Act requirements.  The Federal Register announcement
published on February 22 by the commission set the deadline for receipt
of comments by February 25.  EPIC offered insight into the many
problems experienced by voter registration systems and made specific
requests for the gathering of data from the states.

EPIC's comments warned about the lack of transparency in the voter
registration process and a need for safeguards for voter privacy.
There were a number of instances where the easy access to voter
registration information may have facilitated attempts at identity
theft.  Some of the other problems may include, but are not limited to,
poor administration of voter registration, uncertainty about voter
registration status, and third party voter registration efforts.

State voter registration rolls have experienced management and
administration problems as evidenced by numerous newspaper reports
during last year's election.  The Election Protection efforts that used
the online Election Incident Reporting Systems to record voter
complaints during the 2004 election logged over 14,000 voter
registration related complaints.

These voter registration problems predate 2004.  In 2000 Florida was
given a list of 8,000 names from a data broker -- since acquired by
ChoicePoint -- which incorrectly identified them as having felony
convictions in the state of Texas.  This is only one of the many errors
discovered on the purge list used in that, and other, states during the
2000 Presidential election.  In 2004 some of the same problems
reoccurred when Accenture provided the felon purge list containing
47,763 names.  This list was later found to have many errors, forcing
it to be discarded.

The issue that EPIC is monitoring involves provisions of the Help
America Vote Act, which requires every state to adopt a
statewide-centralized voter registration list that will allow access to
each election official within the state, comparisons of records with
motor vehicle records, and the Social Security Administration for those
without state identification.   The solution that some states are
pursuing involves the outsourcing of this requirement to private
contractors.  Data brokers like Accenture, which has netted a number of
state contracts for this work to centralize voter registration lists,
have Florida, Pennsylvania, Wisconsin, and Colorado as clients.

EPIC comments to the Election Assistance Commission:


For more information, see EPIC's Centralized Voter Registration
Database Page:


EPIC's Voting Page:


[6] News in Brief

Senators Propose Bill to Examine Delays in FOIA Processing

Senators John Cornyn (R-TX) and Patrick Leahy (D-VT) have introduced
the Faster FOIA Act, legislation that will create a sixteen-member
advisory commission to examine the efficacy of the Freedom of
Information Act.  The commission would be tasked with suggesting ways
to decrease delays in the processing of Freedom of Information Act
requests, as well as studying whether the system for charging fees and
granting fee waivers causes delays in processing.  The commission would
be required to issue a report to Congress on its findings.

In related news, the Senate Judiciary Committee's Subcommittee on
Terrorism, Technology and Homeland Security will hold a hearing on the
OPEN Government Act on March 15.  The bill, proposed by Sens. Cornyn
and Leahy last month, would improve government accountability by
expanding and fortifying the Freedom of Information Act (see EPIC
Alert 12.04).

The Faster FOIA Act:


For more information, see EPIC's Open Government Page:


Bank of America Loses 1.2 Million Federal Employees' Personal Data

On February 25, Bank of America confirmed that it had lost "a small
number of computer data tapes" during shipment in December 2004
containing charge card program and account information on 1.2 million
federal workers.  The personal information on the tapes included names,
addresses and Social Security Numbers, leaving individuals prone to
identity theft.  Bank of America did not specify how the tapes
disappeared, but Senator Charles E. Schumer (D-NY) said he was told the
data backup tapes were likely stolen off a commercial plane by baggage
handlers.  It is unclear whether Bank of America encrypted the personal
data before shipping it on tapes to its backup data center.

People who may have been affected have been advised to monitor
activities on their accounts, but Bank of America does not offer a free
credit report monitoring service to them.  Sen. Susan Collins (R-ME)
has called for Bank of America to detail the bank's actions to ensure
the safety of federal credit cardholders' personal data.

Bank of America press release:


32,000 Americans at Risk After Data Broker's Security Breach

Data broker LexisNexis announced that its subsidiary, Seisint, may have
allowed criminals to access sensitive information on 32,000 U.S.
citizens, including names, addresses, Social Security and driver's
license numbers.  Seisint is a Florida firm that sells data amassed
from public records to law enforcement agencies, businesses, private
investigators, and others.  Seisint is also responsible for the
Multistate Anti-Terrorism Information Exchange Program (MATRIX), a
controversial law enforcement data mining program that has floundered
in recent months due in part to privacy concerns.

Seisint's security breach comes on the heels of two other data access
scandals.  A month ago, it was revealed that data broker ChoicePoint
sold data on 145,000 people to a criminal ring engaged in identity
theft. Just two weeks ago Bank of America announced that data tapes
containing personal information on 1.2 million federal employees were
either stolen or lost in late December.

For more information on MATRIX, visit:


For more information, see EPIC's ChoicePoint Page:


For more information, see EPIC's Financial Privacy Page:


Agency Upholds Dismissal of EPIC's Claims Against Northwest

The Department of Transportation has affirmed its dismissal of EPIC's
complaint against Northwest Airlines, concluding that "an enforcement
action is not in the public interest."  EPIC had argued that the
airline violated its privacy policy by disclosing millions of passenger
records to NASA for use in a data mining study, thus committing an
unfair and deceptive trade practice.

Department of Transportation Order Affirming Dismissal:


For more information, see EPIC's page on the Northwest disclosure:


EPIC Introduces New Web Page on Secure Flight

EPIC has added a web page to its site focusing on the Transportation
Security Administration's Secure Flight passenger prescreening proposal.
The page provides the latest news on the controversial program,
discusses its history, and describes its current status.  The page also
provides resources on Secure Flight from the Transportation Security
Administration and the Government Accountability Office's recent report
on measures for testing the use of commercial data within Secure Flight.

EPIC's Secure Flight Page:


[7] EPIC Bookstore: William S. Hubbartt's Workplace Privacy

William S. Hubbartt, The New Battle over Workplace Privacy: How Far Can
Management Go? What Rights Do Employees Have? Safe Practices to Minimize
Conflict, Confusion, and Litigation (American Management Association


"Employers need to protect themselves from workers whose behavior
damages the company.  Does that give them the right to conduct random
drug tests, read employees' e-mail, search desk drawers, and monitor
off-the-job activities?

"Workplace privacy issues are complex -- many employers are confused
about their legal and ethical rights.  The New Battle Over Workplace
Privacy provides critical information to help companies create
appropriate policies and practices.  Through case examples, highlights
of state and federal laws, checklists, and sample policies, this book
shows a company how to:

" -- protect itself from employee theft, substance abuse, and other
  -- stay within legal bounds by learning what laws are (and aren't) in
  -- avoid litigation
  -- and win the cases that do go to court."


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine
Act, and the Federal Advisory Committee Act.  The 22nd edition fully
updates the manual that lawyers, journalists and researchers have
relied on for more than 25 years.  For those who litigate open
government cases (or need to learn how to litigate them), this is an
essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price:
$40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and international privacy law, as well
as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

O'Reilly Emerging Technology Conference.  March 14-17, 2005.  San
Diego, CA.  For more Information:

Policy Options and Models for Bridging Digital Divides: Freedom,
Sharing and Sustainability in the Global Network Society.  March 14-15,
2005. Project on Global Challenges of eDevelopment, Hypermedia
Laboratory, University of Tampere.  Tampere, Finland.  For more
information: http://www.globaledevelopment.org/forthcoming.htm

2005 National Freedom of Information Day Conference.  First Amendment
Center.  March 16, 2005.  Washington, DC.  For more information:

Conference: Implementing PIPEDA: A Review of Internet Privacy
Statements and On-Line Practices. Centre for Innovation Law and Policy
and Information Policy Research Program. March 18, 2005. Toronto,
Ontario. For more information: http://pipedaproject.rcat.utoronto.ca

7th International General Online Research Conference.  German Society
for Online Research.  March 22-23, 2005.  Zurich, Switzerland. For more
information: http://www.gor.de

The 2005 Nonprofit Technology Conference.  Nonprofit Technology
Enterprise Network.  March 23-25, 2005.  Chicago, IL.  For more
information: http://www.nten.org/ntc

The Global Flow of Information Conference 2005.  Information Society
Project at Yale Law School.  April 1-3, 2005.  New Haven, CT.  For more

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
April 4-8, 2005.  Mar del Plata, Argentina.  For more information:

VoIP World Africa 2005.  April 5-7, 2005.  Terrapinn.  Johannesburg,
South Africa.  For more information:

RFID Journal LIVE! 2005. April 10-12. Chicago, IL. For more
information: http://www.rfidjournallive.com

CFP2005: Fifteenth Annual Conference on Computers, Freedom and Privacy.
April 12-15, 2005.  Seattle, WA.  For more information:

2005 IEEE Symposium on Security and Privacy.  IEEE Computer Society
Technical Committee on Security and Privacy in cooperation with The
International Association for Cryptologic Research.  May 8-11, 2005.
Berkeley, CA.  For more information:

SEC2005: Security and Privacy in the Age of Ubiquitous Computing.
Technical Committee on Security & Protection in Information Processing
Systems with the support of Information Processing Society of Japan.
May 30-June 1, 2005.  Chiba, Japan.  For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
July 11-15, 2005.  Luxembourg City, Luxenbourg.  For more information:

3rd International Human.Society@Internet Conference.  July 27-29, 2005.
Tokyo, Japan.  For more information: http://hsi.itrc.net

PEP05: UM05 Workshop on Privacy-Enhanced Personalization.  July 2005.
Edinburgh, Scotland.  For more information:

5th Annual Future of Music Policy Summit.  Future of Music Coalition.
September 11-13, 2005.  Washington DC.  For more information:

The World Summit on the Information Society.  Government of Tunisia.
November 16-18, 2005.  Tunis, Tunisia.  For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005.  Vancouver, Canada.  For more
information: http://www.icann.org

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or
write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 12.05 -------------------------