EPIC logo

                             E P I C  A l e r t
Volume 12.08                                              April 21, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC FOIA Note #3: Voting Machine Vendor Misled Election Officials
[2] States and Congress to Regulate Data Brokers in Wake of Scandals
[3] Controversial Database Project MATRIX Closes Down
[4] California Considers Prohibiting RFID Use in State ID Cards
[5] Choicepoint, Voter Rolls and Public Records Highlighted at CFP 2005
[6] News in Brief
[7] EPIC Bookstore: Mari J. Frank's Guide to Ending Identity Theft
[8] Upcoming Conferences and Events

[1] EPIC FOIA Note #3: Voting Machine Vendor Misled Election Officials

In the third edition of "EPIC FOIA Notes," formerly secret documents
obtained by EPIC from Ohio reveal that Diebold misled state officials
about the capability of its voting machines. Diebold claimed that its
touch screen AccuVote machines would last at least 20 years. However,
the Independent Testing Authority (ITA) Wyle Laboratories, which Diebold
paid to evaluate its AccuVote voting system, reported that the machines
would only be reliable for 8 years.

Diebold is the same company that misled California about its AccuVote
machines. California barred the use of this voting system in the 2004
election. In Maryland, some Diebold machines broke down on Election Day

"EPIC FOIA Notes" gives subscribers fast access to important documents
obtained by EPIC under the Freedom of Information Act, allowing users of
mobile devices to learn quickly about important open government news.
The first two editions highlighted documents recently obtained from the
FBI about data broker Choicepoint.

EPIC FOIA Notes #3:


Subscribe to EPIC FOIA Notes (please note that Alert subscribers will
not automatically receive the publication):


EPIC's Public Information Requests to States on DRE Voting Technology


[2] States and Congress to Regulate Data Brokers in Wake of Scandals

State legislatures and Congress are beginning to consider how to address
the privacy problems caused by commercial data brokers, companies that
sell personal information, such as Choicepoint, LexisNexis, and Acxiom.
All three companies testified before the Senate Judiciary Committee last
week, where Sen. Dianne Feinstein (D-CA) asked whether any of the
companies had a security breach prior to 2003, before they were under a
legal obligation to notify consumers. Choicepoint testified that it had,
LexisNexis testified that it believed it had breaches, and Acxiom
testified that it had a breach in 2003 and notified its clients (big
businesses that transferred consumer data to Acxiom) but not consumers.
Sen. Feinstein concluded, "This is my point: If it weren't for the
California law [requiring notice to consumers of security breaches], we
would have no way of knowing breaches that have occurred. It's really
only because of that law that we now know. We, in no way, shape or form,
are able to pierce the depth of what has happened in this industry."

Meanwhile, California and New York introduced legislation to
bring commercial data brokers and sellers of personal information for
direct marketing purposes under regulation similar to the Fair Credit
Reporting Act. Both bills incorporate many of the remedies to the
commercial data broker problem proposed by EPIC West Director Chris
Hoofnagle and George Washington Law School Professor Daniel Solove. The
California legislation, SB 550 introduced by Sen. Jackie Speier (D-San
Francisco), would give individuals important rights over their
information held by data brokers. If passed, Californians would be able
to access and correct their records, opt-out of having their data in
reports, obtain an accounting of disclosures of their information, and
obtain a free credit freeze if a data broker has a security breach.
(Credit reports that are "frozen" or sealed can be made available only
when the individual "thaws" her file, and specifies to whom, when, or in
what contexts the file can be released.) Individuals would also have the
ability to sue for violations of the law.

The New York legislation, proposed by Attorney General Eliot Spitzer,
would allow individuals to remove their information from data brokers'
and direct marketers' databases. New Yorkers could gain access to their
profiles, and would receive notice whenever their dossiers were sold. If
passed, New York would be the fifth state to provide its citizen with
credit freeze legislation. Such laws exist in California, Texas,
Louisiana and Vermont).

Next week, the Senate Commerce Committee will hold a hearing on
Choicepoint. EPIC will continue to track these issues and report on
important developments.

Text of the Proposed California SB 550:


Proposed New York Legislative Package:


Model Privacy Regime Version 2.0 by Daniel Solove and Chris Hoofnagle:


EPIC's Choicepoint page:


[3] Controversial Database Project MATRIX Closes Down

The Multistate Anti-Terrorism Information Exchange (MATRIX), a
three-year-old crime and terrorism database, closed down Friday because
its federal funding ran out. MATRIX was run by Florida and LexisNexis
subsidiary Seisint, which last week announced a security breach that
compromised data on 310,000 Americans. MATRIX drew criticism because the
database had detailed files about innocent people, including credit
histories and fingerprints.

Nine states had left the project during its three-year history citing
privacy, legal and cost concerns. Four states remained in the program:
Ohio, Connecticut, Pennsylvania, and Florida. MATRIX had been financed by
$12 million in federal grants. Elements of MATRIX may continue if individual
states decide to finance it on their own.

The personal information contained in MATRIX included individuals'
names, past addresses, telephone numbers, Social Security numbers, dates
of birth, credit information, driver's license photographs, marriage and
divorce records, names and addresses of family members, and neighbors'
addresses and telephone numbers. Some of the information was incorrect,
but individuals were unable to correct their records.

News Release Announcing MATRIX Closure on April 15, 2005:


EPIC's amicus brief before the Supreme Court in Hiibel v. Nevada
describing MATRIX (pdf):


MATRIX site:


[4] California Considers Prohibiting RFID Use in State ID Cards

Federal and state officials have been considering attaching "tag and
track" devices, known as RFIDs (Radio Frequency Identification tags), to
government documents. California State Sen. Joe Simitian (D-11) has
introduced "The Identity Information Protection Act" (SB 682), which
would prohibit the inclusion of RFIDs in identity documents issued by
state agencies, such as driver's licenses, student identification
badges, and medical cards. A broad coalition of privacy rights,
consumer, and civil liberties groups are supporting the bill.

RFID tags are tiny integrated circuits with small antennae that enable
information to be scanned remotely without the person's knowledge. This
information could include the personal data displayed on ID cards,
including an individual's name, address, telephone number, date of
birth, photograph, fingerprint, Social Security number and any other
unique personal identifier or number. This information could easily be
read by any person armed with a RFID reader, and then be used for
stalking, kidnapping, or identity theft.

Every year, about 10 million persons are victims of identity theft.
RFID-enabled ID cards that are not properly designed and have weak
technological safeguards are likely to make the crime of identity theft
easier to commit.

Text of Proposed SB 682: "The Identity Information Protection Act" (pdf):


EPIC's RFID page:


[5] Choicepoint, Voter Rolls and Public Records Highlighted at CFP 2005

Many privacy issues were discussed at the 15th Annual Computers, Freedom
and Privacy Conference held in Seattle, Wash., last week. Three
Washington members of EPIC participated in panels discussing consumer
rights, voting rights, and data mining and public records.

Chris Hoofnagle, director of EPIC's West Coast Office in San Francisco,
discussed the emerging privacy problems presented by commercial data
brokers, such as Choicepoint.  Mr. Hoofnagle explained that the
companies collected personal information from public records, government
databases such as motor vehicle repositories, and companies that sell
consumer data. Mr. Hoofnagle emphasized that commercial data brokers
often sell two lines of information reports, one that is regulated under
the Fair Credit Reporting Act (FCRA), and a parallel line of reports
that contain similar information but are not covered by the Act. This
parallel line of non-FCRA reports is sold to many parties, and
individuals have no ability to correct errors, see who has obtained
their reports, or to limit the distribution of their information.

Lillie Coney, EPIC Associate Director, and Dr. Barbara Simons, Co-chair
of Association for Computing Machinery's US Public Policy Committee,
headed a panel discussing plans by states to implement
statewide-centralized voter registration systems. A little-known
provision of the Help America Vote Act requires that states, with the
assistance of the newly created U.S. Election Assistance Commission,
develop such databases by 2006. Panelists discussed the importance of
fair information practices. Such practices provide notice and assurance
to voters that the information provided to the state will be used for
the purpose it was collected, that it will be accurate, that voters will
have an opportunity to correct inaccurate information and that voter's
information will be secure. Also discussed was the larger issue of
security presented by insider and outsider threats as well as potential
vulnerabilities in these database systems.

Marcia Hofmann, Director of the EPIC Open Government Project, moderated
a session challenging conference participants to pose solutions to
complex issues created by public records and data mining. The panel
proposed hypothetical problems about posting personal information online
through public records and making conviction records available through
commercial databases, and asked the audience how to resolve the
complicated privacy and access issues created by each scenario. Panel
participants Cindy Southworth, Technology Director of National Network
to End Domestic Violence; Professor Dan Solove, George Washington
University Law School; and Doug Klunder, Privacy Project Director at the
American Civil Liberties Union of Washington, respectively played the
roles of privacy advocate, media representative, and the data brokerage
industry to add diverse perspectives to the spirited discussion.

EPIC's Choicepoint page:


EPIC's Statewide Centralized Voter Registration Databases page:


National Committee for Voting Integrity:


[6] News in Brief

Data Security Breaches Grow in Frequency, Magnitude

News reports continue to abound detailing new and existing personal
information security breaches. These reports are driven by security
breach notices issued to consumers by institutions that contain Social
Security, driver's license, or account numbers that were accessed by
unauthorized parties. These notices are required by a California state
law that went into effect in 2003. This law has pierced the public
relations veil of the data industry, revealing that security breaches
are much more common than previously thought. In recent weeks, shoe
company DSW announced that its information breach affected ten times
more consumers (a total of 1.4 million) than the company estimated a
month ago; similarly, LexisNexis announced a ten-fold increase in the
number of people affected by its data breach (a total of 310,000); and
HSBC Bank warned that an American retailer, thought to be Polo Ralph
Lauren, had a security breach affecting 180,000 individuals.

Text of California SB 1386, the Notification Law:


UK Plans to Add Biometrics to Passports

The United Kingdom's Home Office said on April 12 that it plans to
fingerprint all passport applicants within the next five years and store
the data on chips embedded in passports. This comes just days after the
government was forced to pull pending legislation for a national
identity card program using biometric technology. A recent report by
academics from the London School of Economics and Political Science
recommended that legislators abandon the legislation because current
proposals were "too complex, technically unsafe, overly prescriptive and
lack a foundation of public trust and confidence." The Labor Party had
promised to revisit the issue if it retains the ruling position after
the May 6 general election. The fingerprinting plan bypasses Parliament
because passports are granted by Royal Prerogative.

The Identity Project: An assessment of the UK Identity Cards Bill & its
implications by the London School of Economics & Political Science:


EPIC's National ID Cards page:


House Committee Scrutinizes Homeland Security Counterterrorism Strategies

Department of Homeland Security Secretary Michael Chertoff testified
before the House Committee on Homeland Security on April 13 about
counterterrorism strategies. Committee members asked for more
information about the department's proposed $847 million Office of
Screening Coordination and Operations (SCO). The office would oversee
vast databases of fingerprints, photographs, and personal information
from millions of Americans and foreigners. SCO would be responsible many
programs including United States Visitor and Immigrant Status Indicator
Technology (US-VISIT), Secure Flight and Crew Vetting, Transportation
Worker Identification Credential and Registered. In a letter to a House
subcommittee last month, EPIC urged careful scrutiny of this planned
office. Homeland Security has announced that the office's operations
would be conducted in a manner that safeguards civil liberties, but the
agency has not yet explained how it proposes to protect privacy rights
or ensure accountability. The authorization bill for Homeland Security
is scheduled for subcommittee markup on April 26, the full committee
markup is set for April 28, and full House consideration is expected on
May 11.

EPIC's Letter to House Subcommittee on Economic Security, Infrastructure
Protection, and Cybersecurity (pdf):


EPIC's Fiscal Year 2006 Budget page:


House Committee on Homeland Security:


Individual-i Freedom Campaign Launched

A new campaign, called "Individual-i," has launched to raise awareness
of civil liberties issues and to provide a symbol for those who wish to
express their rights. Individual-i seeks to represent the right to
privacy and anonymity; open government, due process, and equal
protection under the law; the right to live free of surveillance; and
the right not to be marked as "suspicious" for wanting these other

Individual-i site:


French Government Considers Compulsory Biometric IDs

The French government may soon mandate that its citizens carry a
national identity card. Although French citizens must prove their
identity to officials upon request, they can choose to present a
voluntary national ID card, an official document such as a driving
license or a passport (even expired), or call witnesses. In March, the
French government outlined a plan to replace the identity cards and
passports offered to its citizens with new ones that carry a microchip
containing digitized photographs and fingerprints. The plan is to
introduce the passports in 2006, and the identity cards a year later.

EPIC's National ID Cards page:


[7] EPIC Bookstore: Mari J. Frank's Guide to Ending Identity Theft

Mari J. Frank, From Victim To Victor: A Step By Step Guide For Ending
the Nightmare of Identity Theft (Porpoise Press 2005)


"With 10 million new victims a year, there is a vast need for people to
have legal help at a reasonable price. As a lawyer and former victim
herself, who has helped thousands of victims, Ms. Frank coaches and
guides you through every step, to lead you out of the nightmare. Mari
Frank had created the first self-help recovery tool for victims of
identity theft back in 1998, and this new edition with CD includes the
new federal laws and regulations in an easy to understand format."


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ====================================================================== [8] Upcoming Conferences and Events ====================================================================== 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research. May 8-11, 2005. Berkeley, CA. For more information: http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html. 58th Annual New York University Conference on Labor:Workplace Privacy: Here and Abroad. May 19-20, 2005. NYU School of Law. For more information: http://www.law.nyu.edu/centers/labor/conferences/ Sixth Annual Institute on Privacy Law: Data Protection - The Convergence
of Privacy & Security. May 23-24, 2005. Atlanta, Ga. For more
http://www.pli.edu/product/program_detail.asp?ptid=511&stid=3&id= EN00000000019985 SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 6-7, 2005. San Francisco, CA. For more information: http://www.pli.edu/ Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 20-21, 2005. New York, NY. For more information: http://www.pli.edu/ Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
http://www.ics.uci.edu/~kobsa/PEP05. 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm. The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 12.08 ---------------------- .