======================================================================== E P I C A l e r t ======================================================================== Volume 12.08 April 21, 2005 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_12.08.html ======================================================================== Table of Contents ========================================================================  EPIC FOIA Note #3: Voting Machine Vendor Misled Election Officials  States and Congress to Regulate Data Brokers in Wake of Scandals  Controversial Database Project MATRIX Closes Down  California Considers Prohibiting RFID Use in State ID Cards  Choicepoint, Voter Rolls and Public Records Highlighted at CFP 2005  News in Brief  EPIC Bookstore: Mari J. Frank's Guide to Ending Identity Theft  Upcoming Conferences and Events ========================================================================  EPIC FOIA Note #3: Voting Machine Vendor Misled Election Officials ======================================================================== In the third edition of "EPIC FOIA Notes," formerly secret documents obtained by EPIC from Ohio reveal that Diebold misled state officials about the capability of its voting machines. Diebold claimed that its touch screen AccuVote machines would last at least 20 years. However, the Independent Testing Authority (ITA) Wyle Laboratories, which Diebold paid to evaluate its AccuVote voting system, reported that the machines would only be reliable for 8 years. Diebold is the same company that misled California about its AccuVote machines. California barred the use of this voting system in the 2004 election. In Maryland, some Diebold machines broke down on Election Day 2004. "EPIC FOIA Notes" gives subscribers fast access to important documents obtained by EPIC under the Freedom of Information Act, allowing users of mobile devices to learn quickly about important open government news. The first two editions highlighted documents recently obtained from the FBI about data broker Choicepoint. EPIC FOIA Notes #3: http://www.epic.org/foia_notes/note3.html Subscribe to EPIC FOIA Notes (please note that Alert subscribers will not automatically receive the publication): https://mailman.epic.org/cgi-bin/control/foia_notes EPIC's Public Information Requests to States on DRE Voting Technology page: http://www.epic.org/privacy/voting/foia/default.html ========================================================================  States and Congress to Regulate Data Brokers in Wake of Scandals ======================================================================== State legislatures and Congress are beginning to consider how to address the privacy problems caused by commercial data brokers, companies that sell personal information, such as Choicepoint, LexisNexis, and Acxiom. All three companies testified before the Senate Judiciary Committee last week, where Sen. Dianne Feinstein (D-CA) asked whether any of the companies had a security breach prior to 2003, before they were under a legal obligation to notify consumers. Choicepoint testified that it had, LexisNexis testified that it believed it had breaches, and Acxiom testified that it had a breach in 2003 and notified its clients (big businesses that transferred consumer data to Acxiom) but not consumers. Sen. Feinstein concluded, "This is my point: If it weren't for the California law [requiring notice to consumers of security breaches], we would have no way of knowing breaches that have occurred. It's really only because of that law that we now know. We, in no way, shape or form, are able to pierce the depth of what has happened in this industry." Meanwhile, California and New York introduced legislation to bring commercial data brokers and sellers of personal information for direct marketing purposes under regulation similar to the Fair Credit Reporting Act. Both bills incorporate many of the remedies to the commercial data broker problem proposed by EPIC West Director Chris Hoofnagle and George Washington Law School Professor Daniel Solove. The California legislation, SB 550 introduced by Sen. Jackie Speier (D-San Francisco), would give individuals important rights over their information held by data brokers. If passed, Californians would be able to access and correct their records, opt-out of having their data in reports, obtain an accounting of disclosures of their information, and obtain a free credit freeze if a data broker has a security breach. (Credit reports that are "frozen" or sealed can be made available only when the individual "thaws" her file, and specifies to whom, when, or in what contexts the file can be released.) Individuals would also have the ability to sue for violations of the law. The New York legislation, proposed by Attorney General Eliot Spitzer, would allow individuals to remove their information from data brokers' and direct marketers' databases. New Yorkers could gain access to their profiles, and would receive notice whenever their dossiers were sold. If passed, New York would be the fifth state to provide its citizen with credit freeze legislation. Such laws exist in California, Texas, Louisiana and Vermont). Next week, the Senate Commerce Committee will hold a hearing on Choicepoint. EPIC will continue to track these issues and report on important developments. Text of the Proposed California SB 550: http://www.epic.org/redirect/calif550.html Proposed New York Legislative Package: http://www.oag.state.ny.us/press/2005/apr/apr18a_05.html Model Privacy Regime Version 2.0 by Daniel Solove and Chris Hoofnagle: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=699701 EPIC's Choicepoint page: http://epic.org/privacy/choicepoint/ ========================================================================  Controversial Database Project MATRIX Closes Down ======================================================================== The Multistate Anti-Terrorism Information Exchange (MATRIX), a three-year-old crime and terrorism database, closed down Friday because its federal funding ran out. MATRIX was run by Florida and LexisNexis subsidiary Seisint, which last week announced a security breach that compromised data on 310,000 Americans. MATRIX drew criticism because the database had detailed files about innocent people, including credit histories and fingerprints. Nine states had left the project during its three-year history citing privacy, legal and cost concerns. Four states remained in the program: Ohio, Connecticut, Pennsylvania, and Florida. MATRIX had been financed by $12 million in federal grants. Elements of MATRIX may continue if individual states decide to finance it on their own. The personal information contained in MATRIX included individuals' names, past addresses, telephone numbers, Social Security numbers, dates of birth, credit information, driver's license photographs, marriage and divorce records, names and addresses of family members, and neighbors' addresses and telephone numbers. Some of the information was incorrect, but individuals were unable to correct their records. News Release Announcing MATRIX Closure on April 15, 2005: http://www.epic.org/redirect/flamat.html EPIC's amicus brief before the Supreme Court in Hiibel v. Nevada describing MATRIX (pdf): http://www.epic.org/privacy/hiibel/epic_amicus.pdf MATRIX site: http://www.matrix-at.org/ ========================================================================  California Considers Prohibiting RFID Use in State ID Cards ======================================================================== Federal and state officials have been considering attaching "tag and track" devices, known as RFIDs (Radio Frequency Identification tags), to government documents. California State Sen. Joe Simitian (D-11) has introduced "The Identity Information Protection Act" (SB 682), which would prohibit the inclusion of RFIDs in identity documents issued by state agencies, such as driver's licenses, student identification badges, and medical cards. A broad coalition of privacy rights, consumer, and civil liberties groups are supporting the bill. RFID tags are tiny integrated circuits with small antennae that enable information to be scanned remotely without the person's knowledge. This information could include the personal data displayed on ID cards, including an individual's name, address, telephone number, date of birth, photograph, fingerprint, Social Security number and any other unique personal identifier or number. This information could easily be read by any person armed with a RFID reader, and then be used for stalking, kidnapping, or identity theft. Every year, about 10 million persons are victims of identity theft. RFID-enabled ID cards that are not properly designed and have weak technological safeguards are likely to make the crime of identity theft easier to commit. Text of Proposed SB 682: "The Identity Information Protection Act" (pdf): http://www.aclunc.org/cyber/050223-radioID.pdf EPIC's RFID page: http://www.epic.org/privacy/rfid ========================================================================  Choicepoint, Voter Rolls and Public Records Highlighted at CFP 2005 ======================================================================== Many privacy issues were discussed at the 15th Annual Computers, Freedom and Privacy Conference held in Seattle, Wash., last week. Three Washington members of EPIC participated in panels discussing consumer rights, voting rights, and data mining and public records. Chris Hoofnagle, director of EPIC's West Coast Office in San Francisco, discussed the emerging privacy problems presented by commercial data brokers, such as Choicepoint. Mr. Hoofnagle explained that the companies collected personal information from public records, government databases such as motor vehicle repositories, and companies that sell consumer data. Mr. Hoofnagle emphasized that commercial data brokers often sell two lines of information reports, one that is regulated under the Fair Credit Reporting Act (FCRA), and a parallel line of reports that contain similar information but are not covered by the Act. This parallel line of non-FCRA reports is sold to many parties, and individuals have no ability to correct errors, see who has obtained their reports, or to limit the distribution of their information. Lillie Coney, EPIC Associate Director, and Dr. Barbara Simons, Co-chair of Association for Computing Machinery's US Public Policy Committee, headed a panel discussing plans by states to implement statewide-centralized voter registration systems. A little-known provision of the Help America Vote Act requires that states, with the assistance of the newly created U.S. Election Assistance Commission, develop such databases by 2006. Panelists discussed the importance of fair information practices. Such practices provide notice and assurance to voters that the information provided to the state will be used for the purpose it was collected, that it will be accurate, that voters will have an opportunity to correct inaccurate information and that voter's information will be secure. Also discussed was the larger issue of security presented by insider and outsider threats as well as potential vulnerabilities in these database systems. Marcia Hofmann, Director of the EPIC Open Government Project, moderated a session challenging conference participants to pose solutions to complex issues created by public records and data mining. The panel proposed hypothetical problems about posting personal information online through public records and making conviction records available through commercial databases, and asked the audience how to resolve the complicated privacy and access issues created by each scenario. Panel participants Cindy Southworth, Technology Director of National Network to End Domestic Violence; Professor Dan Solove, George Washington University Law School; and Doug Klunder, Privacy Project Director at the American Civil Liberties Union of Washington, respectively played the roles of privacy advocate, media representative, and the data brokerage industry to add diverse perspectives to the spirited discussion. EPIC's Choicepoint page: http://epic.org/privacy/choicepoint/ EPIC's Statewide Centralized Voter Registration Databases page: http://www.epic.org/privacy/voting/register/ National Committee for Voting Integrity: http://www.votingintegrity.org/ ========================================================================  News in Brief ======================================================================== Data Security Breaches Grow in Frequency, Magnitude News reports continue to abound detailing new and existing personal information security breaches. These reports are driven by security breach notices issued to consumers by institutions that contain Social Security, driver's license, or account numbers that were accessed by unauthorized parties. These notices are required by a California state law that went into effect in 2003. This law has pierced the public relations veil of the data industry, revealing that security breaches are much more common than previously thought. In recent weeks, shoe company DSW announced that its information breach affected ten times more consumers (a total of 1.4 million) than the company estimated a month ago; similarly, LexisNexis announced a ten-fold increase in the number of people affected by its data breach (a total of 310,000); and HSBC Bank warned that an American retailer, thought to be Polo Ralph Lauren, had a security breach affecting 180,000 individuals. Text of California SB 1386, the Notification Law: http://privacy.ca.gov/code/cc1798.291798.82.htm UK Plans to Add Biometrics to Passports The United Kingdom's Home Office said on April 12 that it plans to fingerprint all passport applicants within the next five years and store the data on chips embedded in passports. This comes just days after the government was forced to pull pending legislation for a national identity card program using biometric technology. A recent report by academics from the London School of Economics and Political Science recommended that legislators abandon the legislation because current proposals were "too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence." The Labor Party had promised to revisit the issue if it retains the ruling position after the May 6 general election. The fingerprinting plan bypasses Parliament because passports are granted by Royal Prerogative. The Identity Project: An assessment of the UK Identity Cards Bill & its implications by the London School of Economics & Political Science: http://www.epic.org/redirect/lseid.html EPIC's National ID Cards page: http://www.epic.org/privacy/id_cards/ House Committee Scrutinizes Homeland Security Counterterrorism Strategies Department of Homeland Security Secretary Michael Chertoff testified before the House Committee on Homeland Security on April 13 about counterterrorism strategies. Committee members asked for more information about the department's proposed $847 million Office of Screening Coordination and Operations (SCO). The office would oversee vast databases of fingerprints, photographs, and personal information from millions of Americans and foreigners. SCO would be responsible many programs including United States Visitor and Immigrant Status Indicator Technology (US-VISIT), Secure Flight and Crew Vetting, Transportation Worker Identification Credential and Registered. In a letter to a House subcommittee last month, EPIC urged careful scrutiny of this planned office. Homeland Security has announced that the office's operations would be conducted in a manner that safeguards civil liberties, but the agency has not yet explained how it proposes to protect privacy rights or ensure accountability. The authorization bill for Homeland Security is scheduled for subcommittee markup on April 26, the full committee markup is set for April 28, and full House consideration is expected on May 11. EPIC's Letter to House Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity (pdf): http://www.epic.org/privacy/budget/fy2006/sco_letter.pdf EPIC's Fiscal Year 2006 Budget page: http://www.epic.org/privacy/budget/fy2006/default.html House Committee on Homeland Security: http://hsc.house.gov/ Individual-i Freedom Campaign Launched A new campaign, called "Individual-i," has launched to raise awareness of civil liberties issues and to provide a symbol for those who wish to express their rights. Individual-i seeks to represent the right to privacy and anonymity; open government, due process, and equal protection under the law; the right to live free of surveillance; and the right not to be marked as "suspicious" for wanting these other rights. Individual-i site: http://www.individual-i.com/ French Government Considers Compulsory Biometric IDs The French government may soon mandate that its citizens carry a national identity card. Although French citizens must prove their identity to officials upon request, they can choose to present a voluntary national ID card, an official document such as a driving license or a passport (even expired), or call witnesses. In March, the French government outlined a plan to replace the identity cards and passports offered to its citizens with new ones that carry a microchip containing digitized photographs and fingerprints. The plan is to introduce the passports in 2006, and the identity cards a year later. EPIC's National ID Cards page: http://www.epic.org/privacy/id_cards/ ========================================================================  EPIC Bookstore: Mari J. Frank's Guide to Ending Identity Theft ======================================================================== Mari J. Frank, From Victim To Victor: A Step By Step Guide For Ending the Nightmare of Identity Theft (Porpoise Press 2005) http://powells.com/cgi-bin/biblio?inkey=17-1892126044-1 "With 10 million new victims a year, there is a vast need for people to have legal help at a reasonable price. As a lawyer and former victim herself, who has helped thousands of victims, Ms. Frank coaches and guides you through every step, to lead you out of the nightmare. Mari Frank had created the first self-help recovery tool for victims of identity theft back in 1998, and this new edition with CD includes the new federal laws and regulations in an easy to understand format." ================================ EPIC Publications: "Privacy & Human Rights 2004: An International Survey of Privacy Laws and Developments" (EPIC 2004). Price: $35. http://www.epic.org/bookstore/phr2004 This survey, by EPIC and Privacy International, reviews the state of privacy in more than sixty countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, as well as recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2003: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price: $40. http://www.epic.org/bookstore/pls2003 The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00& EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================  Upcoming Conferences and Events ====================================================================== 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research. May 8-11, 2005. Berkeley, CA. For more information: http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html. 58th Annual New York University Conference on Labor:Workplace Privacy: Here and Abroad. May 19-20, 2005. NYU School of Law. For more information: http://www.law.nyu.edu/centers/labor/conferences/ Sixth Annual Institute on Privacy Law: Data Protection - The Convergence
of Privacy & Security. May 23-24, 2005. Atlanta, Ga. For more
http://www.pli.edu/product/program_detail.asp?ptid=511&stid=3&id= EN00000000019985 SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 6-7, 2005. San Francisco, CA. For more information: http://www.pli.edu/ Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 20-21, 2005. New York, NY. For more information: http://www.pli.edu/ Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
http://www.ics.uci.edu/~kobsa/PEP05. 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information: