EPIC logo

                             E P I C  A l e r t
Volume 12.06                                              March 24, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Calls for Regulation of Choicepoint; Coalition Demands Action
[2] Madrid Summit Urges Democratic Response to Threats of Terrorism
[3] Google's Gmail Subject of EPIC West Testimony in California Senate
[4] Transportation Biometric ID Raises Privacy Concerns; Review Urged
[5] EPIC Introduces EPIC FOIA Notes, 2005 FOIA Gallery
[6] News in Brief
[7] EPIC Bookstore: J.J. Luna's "How to Be Invisible"
[8] Upcoming Conferences and Events

[1] EPIC Calls for Regulation of Choicepoint; Coalition Demands Action

EPIC Executive Director Marc Rotenberg urged lawmakers to regulate
Choicepoint and other data brokers in testimony last week before a House
subcommittee on consumer protection. Mr. Rotenberg testified that there
is too much secrecy and too little accountability in the business
dealings of data brokers, and the Choicepoint debacle underscores the
need for federal regulation of the information broker industry.
Choicepoint recently admitted that it had sold personal information on
145,000 people to a criminal ring involved in identity theft.

Congressional members questioned Choicepoint about its response to the
situation. Rep. Edward J. Markey (D-MA) asked Choicepoint to do more for
the 145,000 victims than the data broker has done. Choicepoint has
agreed to give the victims a year of free credit monitoring, but Rep.
Markey asked Choicepoint CEO Derek Smith to give "a lifetime monitoring
service and instant e-mail and postal alerts for each and every consumer
has been victimized as a result of Choicepoint's negligence." Rep.
Markey also asked Mr. Smith to give each victim "exactly what personal
information was compromised and not this vague letter telling them that
it could include all of this, but we're not going to give you the exact

Mr. Smith did not immediately agree to extend the monitoring service for
the victims. However, Mr. Smith did agree to give "the specific
information that was on that report that could potentially could have
been used," to each victim that requested the information from

In December EPIC filed a complaint with the Federal Trade Commission
raising questions about Choicepoint and other data brokers' business
practices. Rep. Markey asked FTC Chairman Deborah Platt Majoras if the
commission began to investigate Choicepoint after receiving EPIC's
complaint. Chairman Majoras said that the FTC did not begin its
investigation of Choicepoint until later.

Rep. Markey expressed disappointment with the FTC's actions. "The point
I'm trying to make here is that I think that there was a warning, that
there was information at the Federal Trade Commission, that the Federal
Trade Commission has to be much more aggressive than it has been in the
pursuit of the protection of the privacy of individuals. And this is the
perfect example of where the Federal Trade Commission was not as
aggressive as the American people would expect you to be," he said.

After the House subcommittee hearing, EPIC, Privacy Rights
Clearinghouse, PIRG, Privacy Times, and World Privacy Forum wrote to
Chairman Majoras, requesting that the agency reevaluate its position
concerning Choicepoint and other commercial data brokers. The groups
wrote that the FTC testimony at the hearing "was not well informed, and
did not adequately reflect the concerns of American consumers about the
sale of their sensitive personal information."

The letter said that the FTC may be responsible for the growth of the
commercial data broker industry. In the 1990s, the FTC defined "credit
report" in such a way as to create the "credit header loophole." This
loophole allowed many businesses to openly traffic in Social Security
Numbers with no restriction at all, fueling the databases of companies
like Choicepoint. Also in the 1990s, in response to congressional
attention, commercial data brokers developed a weak self-regulatory
system, known as the Individual Reference Services Group (IRSG)
Principles. The principles allowed commercial data brokers to sell
Social Security Numbers and other information to whomever they deemed
"qualified." The principles contained no effective right to opt-out, no
right to free access, no right of enforcement, and no right to
correction. In light of the weak IRSG Principles, however, the FTC did
not call for substantive regulation of the industry.

EPIC's Testimony before the House Subcommittee on Commerce, Trade, and
Consumer Protection (pdf):


Coalition Letter on FTC Choicepoint Testimony (pdf):


EPIC's December 2004 Complaint to the FTC:


Request your Choicepoint Background Check and Public Records and report
by visiting:




EPIC's Choicepoint page:


[2] Madrid Summit Urges Democratic Response to Threats of Terrorism

World leaders, policy experts, and civil society representatives
gathered in Madrid, Spain, to commemorate the victims of the railway
train bombing of March 11, 2004 and to consider how democratic
governments should best respond to the threat of future acts of
terrorism. The International Summit on Democracy, Terrorism, and
Security concluded with the release of the Madrid Agenda. The statement
is "an agenda for action for Governments, institutions, civil society,
the media and individuals," and "[a] global democratic response to the
global threat of terrorism." Among other recommendations, the leaders of
democratic governments proposed "[t]he creation of a global citizens
network, linking the leaders of civil society at the forefront of the
fight for democracy from across the world, taking full advantage of
web-based technologies and other innovative forms of communication."

At the closing plenary session UN Secretary General Kofi Annan urged
governments to safeguard human rights and the rule of law. Mr. Annan
said that "many measures which States are currently adopting to counter
terrorism infringe on human rights and fundamental freedoms." Mr. Annan
warned that "compromising human rights cannot serve the struggle against
terrorism. On the contrary, it facilitates achievement of the
terrorist's objective - by ceding to him the moral high ground, and
provoking tension, hatred and mistrust of government among precisely
those parts of the population where he is most likely to find recruits."

A special session on "Democracy, Terrorism and the Internet" issued a
declaration, "The Infrastructure of Democracy," urging governments to
understand that an open Internet, like democratic government, provides
the best response to future acts of terrorism. According to the
declaration, "The Internet is fundamentally about openness,
participation, and freedom of expression for all -- increasing the
diversity and reach of information and ideas." The declaration also
urged governments to avoid restrictions on anonymity, which "would be
highly unlikely to stop determined terrorists, but would have a chilling
effect on political activity and thereby reduce freedom and

The Varsavsky Foundation, in collaboration with the Spanish government,
helped organize the event and supported civil society participation.

International Summit on Democracy, Terrorism, and Security:


The Madrid Agenda:


Speech of Kofi Annan:


The Infrastructure of Democracy:


The Infrastructure of Democracy (Spanish):


The Varsavsky Foundation:


The Public Voice:


[3] Google's Gmail Subject of EPIC West Testimony in California Senate

In testimony to the California Senate Judiciary Committee, EPIC West
Director Chris Jay Hoofnagle argued that Google's Gmail service presents
significant risks to personal privacy. Gmail is an advertising-supported
e-mail system that offers 1 gigabyte of storage. The Gmail system reads
the actual content of e-mail and attachments in order to target
advertising. While Google calls this process content "scanning," the
company's patents use the phrase "content extraction" to describe the
Gmail model.

Mr. Hoofnagle argued that Gmail users bargain away their own privacy,
but in doing so, also give away the privacy of non-subscribers. Those
who send e-mail to Gmail users also experience content extraction but
never receive notice or consent to the process.

Many information collection programs originally performed for commercial
purposes are now used for law enforcement or anti-terrorism purposes,
Mr. Hoofnagle said. In the 1990s, privacy advocates warned regulators
that direct marketers would turn over their information to the
government. Now we know that instead of turning it over, major direct
marketing companies, including Acxiom and Choicepoint, actively sell
personal information to the government. Similar risks exist with Gmail,
although Google did not address those risks in its testimony. Instead,
the company focused the debate on whether "personally identifiable
profiles" are created by content extraction. The company argues that
since there is no data retention from content extraction, there is no
risk to privacy. However, this argument ignores the risk that the Gmail
system could change, either by the company's own initiative, or by court
order sought by a law enforcement agency.

The ACLU of Northern California, also testifying at the hearing, argued
that content extraction may reduce Fourth Amendment expectations of
privacy. If a major online e-mail provider such as Google is allowed to
monitor private communications, even in an automated way, the
expectations of e-mail privacy may be eroded. These effects are
long-term and will undoubtedly outlive Gmail.

Google defends Gmail by stating that e-mail scanning is no different
than virus scanning or spam interdiction. While it is true that there is
no technical difference between these functions, there fundamental legal
difference. The law has long recognized that communications providers
should not peek into the contents of a message unless they have a valid
reason relating to the delivery of service. At the hearing, Google did
not address the legal difference.

EPIC Testimony on Gmail:




[4] Transportation Biometric ID Raises Privacy Concerns; Review Urged

In comments filed on March 18, EPIC urged the Transportation Security
Administration to delay its test of biometric technology for
transportation workers until it conducts a comprehensive Privacy Impact
Assessment. The assessment should allow the agency "to ensure protection
of the privacy rights of program members." EPIC said that the program
must comply with the federal Privacy Act and noted that there are unique
problems associated with biometric technologies.

The comments discussed EPIC's congressional testimony in July 2002,
which explained these unique problems. "First, the uniqueness of
biometric data is affected by time, variability and data collection.
This leads to the second problem: the technologies available are subject
to varying degrees of error, which means that there is an element of
uncertainty in any match. Third, there are several ways to circumvent a
biometrics system," EPIC said in the comments.

EPIC also explained that there could be severe consequences for an
individual whose biometric identifier has been compromised. "It is
possible to replace a credit card or Social Security numbers, but how
does one replace a fingerprint, voiceprint, or retina scan?" EPIC asked.

EPIC stated that allowing employees access to their records would help
ensure the accuracy of the information collected and used. EPIC also
urged the agency to incorporate privacy protections into the
decision-making process so that the agency could avoid "later having to
awkwardly, expensively, and inefficiently" adjust its biometric
technology systems.

EPIC's March 18 Comments to the Transportation Security Administration:


EPIC's July 2002 Congressional Testimony:


EPIC's Biometrics page:


[5] EPIC Introduces EPIC FOIA Notes, 2005 FOIA Gallery

In celebration of Sunshine Week earlier this month, the Electronic
Privacy Information Center launched EPIC FOIA Notes, a new online
publication that will help bring attention to secrecy in the federal

EPIC FOIA Notes gives subscribers fast access to important documents
obtained by EPIC under the Freedom of Information Act, allowing users of
mobile devices to learn quickly about important open government news.
The publication also gives readers images of actual documents obtained
by EPIC under the FOIA. Links from a short text message go directly to
a web page that provides information about the government's latest
disclosures, as well as links to other FOIA resources.

The first two editions of EPIC FOIA Notes highlighted documents recently
obtained by EPIC from the FBI about data broker Choicepoint. The
documents were released as two Congressional hearings examined
Choicepoint's sale of personal information on 145,000 consumers to
criminals posing as legitimate businesses.

In honor of Freedom of Information Day on March 16, EPIC also published
the 2005 FOIA Gallery. The web page highlights scanned images of EPIC's
most compelling FOIA disclosures from the past year. Featured documents
include an e-mail EPIC obtained from NASA revealing that Northwest
Airlines gave the FBI a year's worth of passenger data after 9/11, as
well as documents showing that the Census Bureau gave the Department of
Homeland Security census data on Arab Americans.

Subscribe to EPIC FOIA Notes (please note that Alert subscribers will
not automatically receive the publication):


EPIC FOIA Notes #2: Choicepoint and FBI:


EPIC 2005 FOIA Gallery:


[6] News in Brief

FTC Makes Recommendations About RFID But Remains Noncommittal

The Federal Trade Commission (FTC) released a report outlining the
contents of a workshop on radio frequency identification technology
(RFID) it held in June 2004. The FTC recommended that companies using
RFIDs should ensure that industry initiatives are "transparent," that
the notice about the use of technology is "clear conspicuous and
accurate," and that consumers are notified if an RFID tag or reader is
present and if the technology is being used to collect personally
identifiable information. The agency's recommendations seem
noncommittal, however, and the agency does not appear to adopt a very
proactive role in protecting consumers' interests. The FTC instead
relies on the RFID industry to come up with self-imposed guidelines,
which usually lack penalties for noncompliance or effective
accountability and enforcement mechanisms.

Federal Trade Commission's Report, "RFID: Radio Frequency
Identification: Applications and Implications for Consumers: A Workshop
Report From the Staff of the Federal Trade Commission":


EPIC's RFID page:


Full Senate to Consider Faster FOIA Act

The Senate Judiciary Committee voted unanimously during Sunshine Week to
send the Faster FOIA Act, S. 589, to the full Senate. If passed by
Congress, the legislation would impanel a sixteen-member advisory
commission to examine how efficiently the Freedom of Information Act
functions. The commission would propose ways to decrease delays in the
processing of Freedom of Information Act requests, as well as determine
whether the system for charging fees and granting fee waivers causes
delays in processing. The commission would be required to report to
Congress on its findings.

The Faster FOIA Act:


EPIC's Open Government Page:


Treasury Issues New Customer Notification Breach Regulation

Under new regulations that take effect immediately, financial
institutions must develop response programs for incidents where
unauthorized access is gained to personal information. Institutions must
assess the incident, give notice to federal regulators whenever
"sensitive" personal information is accessed, and take steps to "contain
and control" the incident to prevent further unauthorized access. When
"the institution determines that misuse of its information about a
customer has occurred or is reasonably possible, it should notify the
affected customer as soon as possible."

Guidance on Response Programs for Unauthorized Access to Consumer
Information (pdf):


EPIC and US PIRG Comments on Response Programs:


Links to Free Credit Report Site Unblocked

In a policy shift, the major credit reporting agencies have unblocked
Internet links to the free credit report site, annualcreditreport.com.
Previously, the companies only accepted links from a few web sites, and
prevented news organizations, state attorneys general, and consumer
groups from providing web links to the site. In December 2004, EPIC and
other groups urged the Federal Trade Commission to order that the links
be unblocked. In light of the group letter, Rep. Barney Frank (D-MA)
wrote to the credit industry trade group to summarize changes made at
the site to make it more consumer friendly. Additionally, a recent
report by the World Privacy Forum urges consumers not to use the free
site at all, but rather call to get their reports, as the free site
engages in unnecessary data collection and presents other risks to

Group Letter to the FTC About the Free Credit Report Site:


Letter from Representative Frank Concerning Changes to the Site (pdf):


World Privacy Forum Report, "Call, Don't Click":


Congress's Intervention in Schiavo Case Raises Issue of "Living Wills"

On March 21 Congress passed, and President Bush signed, a law that
preempted state jurisdiction over the case of Terri Schiavo, a woman who
is brain-damaged, and transferred jurisdiction to a U.S. district court
for a federal judge to review. Schiavo's husband and her parents have
been engaged in a legal battle about whether to permit Schiavo to die or
be kept alive by a feeding tube. The controversy highlights the
importance of making a "living will" to unambiguously explain what a
person would want in such a case. Only an estimated one-fifth of
Americans have drawn up a document stating their wishes in the
eventuality that they become incapacitated. Further complicating the
debate is the fact that state laws on the subject vary.

Text of the Terri Schiavo Bill:


European Ethics Group Raises Concerns About ICT Implants

On March 16 the European Group on Ethics in Science and New Technologies
presented an opinion to the European Commission about the ethical
aspects of information and communication technologies (ICT) implants in
the human body. The opinion dealt with the applications of ICT implants
for health and non-medical purposes, and said the latter applications
are a potential threat to human dignity and democratic society.
Non-medical ICT implant applications are not explicitly covered by
existing legislation, and the group recommended that the European
Commission launch legislative initiatives in these areas.

Opinion of the European Group on Ethics in Science and New Technologies
to the European Commission on the Ethical Aspects of ICT Implants in the
Human Body (pdf):


EPIC's VeriChip page:


[7] EPIC Bookstore: J.J. Luna's "How to Be Invisible"

J.J. Luna, How to Be Invisible: The Essential Guide to
Protecting Your Personal Privacy, Your Assets, and Your Life (Thomas
Dunne Books 2004)


"From cyberspace to crawl spaces, new innovations in information
gathering have left the private life of the average person open to
scrutiny, and worse, exploitation. In this thoroughly revised update of
his immensely popular guide How to Be Invisible, J.J. Luna shows you how
to protect yourself from these information predators by securing your
vehicle and real estate ownership, your bank accounts, your business
dealings, your computer files, your home address, and more.

"J.J. Luna, a highly trained and experienced security consultant, shows
you how to achieve the privacy you crave and deserve, whether you just
want to shield yourself from casual scrutiny or take your life savings
with you and disappearing without a trace. Whatever your needs, Luna
reveals the shocking secrets that private detectives and other seekers
of personal information use to uncover information and then shows how to
make a serious commitment to safeguarding yourself.

"There is a prevailing sense in our society that true privacy is a thing
of the past. Filled with vivid real life stories drawn from the
headlines and from Luna's own consulting experience, How to Be
Invisible, Revised Edition is a critical antidote to the privacy
concerns that continue only to grow in magnitude as new and more
efficient ways of undermining our personal security are made available.
Privacy is a commonly-lamented casualty of the Information Age and of
the world's changing climate-but that doesn't mean you have to stand for


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

F2C: Freedom to Connect. March 30-31, 2005. Washington, DC. For more
information: http://freedom-to-connect.net/ The Global Flow of Information Conference 2005. Information Society
Project at Yale Law School. April 1-3, 2005. New Haven, CT. For
more information:
http://islandia.law.yale.edu/isp/GlobalFlow/registration.htm. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. April 4-8, 2005. Mar del Plata, Argentina. For more information: http://www.icann.org. VoIP World Africa 2005. April 5-7, 2005. Terrapinn. Johannesburg, South Africa. For more information: http://www.terrapinn.com/2005/voipza/confprog.stm. Private Conduct/Private Places: New Media, Surveillance, Sexuality.
April 8-9, 2005. UC Berkeley. For more information:
http://cnm.berkeley.edu/events_news/index.php RFID Journal LIVE! 2005. April 10-12. Chicago, IL. For more
information: http://www.rfidjournallive.com. CFP2005: Fifteenth Annual Conference on Computers, Freedom and Privacy. April 12-15, 2005. Seattle, WA. For more information: http://www.cfp2005.org. 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research. May 8-11, 2005. Berkeley, CA. For more information: http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html. Sixth Annual Institute on Privacy Law: Data Protection - The Convergence
of Privacy & Security. May 23-24, 2005. Atlanta, Ga. For more
http://www.pli.edu/product/program_detail.asp?ptid=511&stid=3&id= EN00000000019985 SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm. The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 12.06 ---------------------- .