======================================================================== E P I C A l e r t ======================================================================== Volume 12.09 May 5, 2005 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_12.09.html ======================================================================== Table of Contents ========================================================================  Congress May Pass Flawed ID Bill Without a Hearing  Annual Reports Show Government Surveillance at an All-Time High  U.S. Revises RFID Passport Proposal Amid Storm of Criticism  EPIC Testifies About Risks of Voter Registration Databases  Spotlight: Federal Grants Fund Surveillance Cameras in Cities  News in Brief  EPIC Bookstore: Judith Collins: Prevent Identify Theft in Business  Upcoming Conferences and Events ========================================================================  Congress May Pass Flawed ID Bill Without a Hearing ======================================================================== A bit of last-minute maneuvering is taking place in Washington as
backers of the REAL ID Act seek to attach the controversial proposal to
unrelated legislation, hoping to avoid a public hearing on the national
ID plan. Republican and Democratic lawmakers in the Senate have urged
Sen. Bill Frist to allow hearings on the bill and to permit a separate
vote on the measure.
The REAL ID Act would mandate federal identification standards and
require state DMVs to collect sensitive personal information. Sen.
Richard Durbin also expressed concern REAL ID would repeal earlier
legislation that contained "carefully crafted language - bipartisan
language - to establish standards for States issuing driver's licenses."
The proposal comes just weeks after the State Department backed off a
flawed plan to require RFID chips in hi-tech electronic passports.
Security experts found significant weaknesses in the plan that would
have made it easy for identity thieves and those targeting American
citizens traveling abroad to capture sensitive personal information.
Real ID would require state DMVs to collect similar data at the same
time that the states motor vehicle agencies have become the target of
identity thieves. In recent months three state DMVs have been penetrated
by identity thieves. In March, burglars rammed a vehicle through a back
wall at a DMV near Las Vegas and drove off with files, including Social
Security numbers, on about 9,000 people. Last week Florida police
arrested 52 people, including 3 DMV examiners, in a scheme that sold
more than 2,000 fake driver's licenses. Two weeks ago Maryland police
arrested three people, including a DMW worker, in a plot to sell about
150 fake licenses.
The American Association of Motor Vehicle Administrators is opposed to
the REAL ID plan. The National Governors Association, the National
Conference of State Legislatures, the Council of State Governments, and
many others also oppose the proposal.
EPIC's National ID Cards page:
Text of H.R. 418, the Real ID Act:
Text of Senate floor speech made by Sen. Richard Durbin (D-IL) on April
Letter from Bipartisan Senate Coalition on Need for Hearing:
Schneier on Security, RFID Passports:
EPIC's RFID page:
"Authorities warn of consequences of DMV break-in" Las Vegas
Review-Journal, March 9, 2005:
http://www.epic.org/redirect/vegas_dmv.html ========================================================================  Annual Reports Show Government Surveillance at an All-Time High ======================================================================== Two annual reports recently released by government agencies show that
surveillance activity conducted by the United States has continued to
rise dramatically since the 9/11 terrorist attacks, reaching an all-time
high in 2004.
A report issued by the Administration Office of the United States Courts
shows that state and federal courts authorized 1,710 interceptions of
wire, oral, and electronic communications in 2004, an increase of 19
percent over intercepts approved in 2003 and the greatest number ever
authorized in a single year. Federal officials requested 730 intercept
applications in 2004, a 26 percent increase over the number requested in
2003. No wiretap applications were denied last year.
According to the Department of Justice's 2004 Foreign Intelligence
Surveillance Act Annual Report, the Foreign Intelligence Surveillance
Court granted 1,758 applications for secret surveillance in 2004, more
than in any previous year. The years 2003 and 2004 are the only ones
since FISA's 1978 passage that more secret surveillance applications
were granted than federal wiretap warrants, which are issued only under
a more stringent legal standard.
In related news, EPIC filed a complaint this week asking a federal court
to force the FBI to disclose data about its use of expanded surveillance
authority under sunsetting provisions of the USA PATRIOT Act. In April,
the agency agreed to quickly process EPIC's Freedom of Information Act
request for the information, but has not complied with the timeline for
even a standard FOIA request. The lawsuit comes amid numerous
congressional hearings reviewing controversial sections of the USA
PATRIOT Act. Many of these provisions will expire at the end of the year
unless the administration makes the case for renewal. 2004 Wiretap Report: http://www.uscourts.gov/wiretap04/contents.html 2004 Foreign Intelligence Surveillance Act Annual Report (pdf): http://www.fas.org/irp/agency/doj/fisa/2004rept.pdf EPIC's Wiretap Page: http://www.epic.org/privacy/wiretap EPIC's FISA Page: http://www.epic.org/privacy/terrorism/fisa EPIC's USA PATRIOT Act FOIA Page: http://www.epic.org/privacy/terrorism/usapatriot/foia EPIC's USA PATRIOT Act Sunset Page: http://www.epic.org/privacy/terrorism/usapatriot/sunset.html ========================================================================  U.S. Revises RFID Passport Proposal Amid Storm of Criticism ======================================================================== The State Department is reassessing its plans to use passports with unencrypted Radio Frequency Identification (RFID) chips in response to criticism from EPIC, other civil liberties groups, privacy and security experts, and the travel industry. The proposal would have made personal data contained in hi-tech passports vulnerable to unauthorized access. The new passports will be delayed so that the State Department can address the important privacy and security risks of "skimming" and "eavesdropping." Skimming occurs when information from an RFID chip is surreptitiously gathered by an unauthorized individual. Eavesdropping occurs when an individual intercepts passport data as it is read by an authorized RFID reader. Tests have shown that the passports' RFID chips can be read from two feet or more, posing a significant risk of unauthorized access. The State Department is seeking to protect the information by covering the passport booklet with metal threads to hamper data reading when the booklet is not opened. The government is also reconsidering the use of standards from the International Civil Aviation Organization that it had rejected earlier, which would secure the data by encrypting it. These standards would not allow scanning at a distance until the passport has first been optically scanned by a customs agent. With these proposed changes, the main justification that the State Department used to promote the use of RFID technology - to save time at Customs by distance scanning with no physical contact required - is invalidated. EPIC and other civil liberties groups filed comments last month urging the State Department to abandon its plans to require RFID-enabled passports for American travelers. The comments stated that the proposal lacked evidence to support that RFID-enabled passports are necessary or that their benefits outweigh the security risks inherent in having the data in a contactless and unencrypted format. Most of these critiques are still relevant today despite the solution proposed. EPIC, EFF et al, Comments on RFID passports (pdf): http://www.epic.org/privacy/rfid/rfid_passports-0405.pdf EPIC's RFID page: http://www.epic.org/privacy/rfid ========================================================================  EPIC Testifies About Risks of Voter Registration Databases ======================================================================== Lillie Coney, EPIC Associate Director, testified before the U.S. Election Assistance Commission (EAC) regarding the promulgation of voluntary guidelines to states on compliance with Section 303(a) of the Help American Vote Act (HAVA). This Section of HAVA requires all states to develop and maintain a single, uniform, centralized, interactive computerized statewide voter registration list by Jan. 1, 2006. This list must contain the name and registration information of every registered voter in the state. Ms. Coney testified that policymakers, the public, and the media should carefully investigate the risks associated with this proposal. Ms. Coney stressed that the states' centralization process should be transparent to the public. She urged strong privacy safeguards for voter information. EPIC's open government work has revealed that state and local governments have relied heavily on the claims of vendors in their decisions to adopt e-voting technology, at times to the detriment of voters. In Ohio, documents obtained by EPIC revealed that Diebold misled state officials about the capability of its voting machines. Ms. Coney highlighted concerns about the use of private companies to build centralized voter registration databases. Florida, Pennsylvania, Colorado, Wisconsin, and Wyoming have hired information management company Accenture to assist in developing their databases. Accenture is the company responsible for creating an error-prone felon purge list for Florida in 2004. Accenture had wrongly included 2,119 names among those slated for removal from Florida's voter registration rolls. The EAC will continue to hear public comments on the draft Voluntary Policy Guidance for Implementation of Statewide Voter Registration Lists until May 25. EPIC Testimony Before the EAC: http://www.epic.org/privacy/voting/register/eac_testimony42605.html EPIC's Voter Registration page: http://www.epic.org/privacy/voting/register/ EAC Proposed Voluntary Guidance on Implementation of Statewide Voter Registration Lists (pdf): http://www.epic.org/redirect/eac05.html EAC site: http://www.eac.gov ========================================================================  Spotlight: Federal Grants Fund Surveillance Cameras in Cities ======================================================================== This month, Spotlight on Surveillance turns to the $2 billion that the Department of Homeland Security will provide to state and local governments. Some of this money will be for surveillance camera networks that watch people in shopping centers and on public streets. Studies have found that such surveillance systems have little impact on crime, and that it is more effective to place officers on the streets and improve lighting in high-crime areas. Cities such as Baltimore, Chicago, and New Orleans have installed camera surveillance networks with financing from the federal government. Such cameras, which can $60,000 each, can be remotely controlled by police to pan, tilt, zoom and rotate; have day and night vision capabilities, and wireless technologies. Chicago has 2,250 cameras in its "Homeland Security Grid, " which DHS helped finance with a $5.1 million grant. The cameras are linked to a $43-million operations center constantly monitored by police officers. Baltimore has used federal grants to finance its camera system and $1.3 million "Watch Center. " The plan is for five counties in Maryland - Anne Arundel, Baltimore, Carroll, Hartford and Howard - to connect with the city's surveillance system. Though cities are spending millions for these systems, studies have shown that they do not decrease criminal activity. Last year, a Milwaukee study found that law enforcement officials in cities such as Detroit, Mich.; Miami, Fla.; and Oakland, Calif., abandoned the use of these surveillance systems because they had little effect on crime prevention. There are also concerns that the homeland security camera systems will be misused or abused. The University of Nevada at Reno has been accused of using its homeland security camera system to spy on a professor who filed a complaint against the school. EPIC has been following the growth in the use of such camera systems for years. In 2002, EPIC launched the Observing Surveillance project. The project includes a map of camera locations in areas of downtown Washington, D.C., which indicates both the locations of surveillance cameras installed by the D.C. Metropolitan Police Department and the projected surveillance radius of those cameras. EPIC's Spotlight on Surveillance page: http://www.epic.org/privacy/surveillance/spotlight/ EPIC's Domestic Spending on Surveillance Programs page: http://www.epic.org/privacy/budget/fy2006/default.html Observing Surveillance Web Site: http://www.observingsurveillance.org/ ========================================================================  News in Brief ======================================================================== EPIC West Testifies on California Data Broker Bill Last week, EPIC West Director Chris Hoofnagle testified on California Senate Bill 550, a measure aimed at adding accountability to the commercial data broker industry. Introduced by Sen. Jackie Speier (D-San Francisco), SB 550 would allow individuals to access and correct their dossiers. Individuals would also receive notice when others purchase their files. Finally, the bill would give individuals a free credit freeze whenever a commercial data broker experienced a security breach. EPIC Testimony on SB 550 http://www.epic.org/privacy/choicepoint/casjud4.26.05.html Text of California SB 550 http://www.epic.org/redirect/calif550.html EPIC Urges Scrutiny of Agency's Budget Requests In a letter to a Senate committee reviewing the Transportation Security Administration's proposed budget for Fiscal Year 2006, EPIC urged scrutiny of the agency's programs. EPIC said the agency has a history of secrecy in developing its programs, and has shown a proclivity to using personal information for reasons other than the ones for which it was gathered. Recent government reports issued by the Government Accountability Office and the Department of Homeland Security Inspector General state that there are many questions about the agency's data collection, use, and privacy safeguards in its programs. The agency must answer these questions before more taxpayer money is poured into its programs. EPIC's Letter to the Senate Committee on Commerce, Science and Transportation: http://www.epic.org/privacy/budget/fy2006/sencomletter425.html EPIC's Domestic Spending on Surveillance page: http://www.epic.org/privacy/budget/fy2006/ Non-profits Protest Growing Surveillance Infrastructures The International Campaign Against Mass Surveillance (ICAMS), founded by the American Civil Liberties Union, Focus on the Global South, the Friends' Committee on National Legislation and other NGOs, is protesting the increasing registration of populations and building of surveillance infrastructures. Many governments around the world are creating these programs under the banner of the "war on terror" and the need for global security. ICAMS's campaign declaration urges governments to abandon intrusive and discriminatory surveillance measures, recommends the strengthening of privacy standards, and urges inter-governmental bodies to operate with more openness and accountability. ICAMS describes ten signposts that show the extent of current government surveillance, from the creation of a global system of surveillance for identification, movement-tracking and interception of electronic communications, to the convergence of national and international databases and the erosion of democratic values. ICAMS is asking organizations to endorse the declaration. Campaign Declaration: http://www.i-cams.org/ List of endorsing organizations: http://www.i-cams.org/SupportingOrgs.html Senators Introduce Bill To Defend E-Mail Privacy Sens. Patrick Leahy and John Sununu have introduced a bill that would strengthen privacy protections for email in light of a controversial court ruling. The E-Mail Privacy Act of 2005 would clarify that it violates federal wiretap law to "intercept" communications when they are temporarily in electronic storage, but still in transit to their final destinations. Last year, a three-judge panel of the First Circuit Court of Appeals ruled in United States v. Councilman that a company did not violate federal wiretap law when it used an e-mail service it provided to its subscribers to access their e-mails so it could review messages sent to them by a rival company. The full appellate court is now reviewing the decision. In November, EPIC joined an amicus brief filed by a coalition of civil liberties groups arguing that the panel's decision creates serious constitutional questions under the Fourth Amendment guarantee against unreasonable search and seizure. Text of S. 936, the E-Mail Privacy Act of 2005: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:s.00936: Amicus brief filed by civil liberties groups in United States v. Councilman (pdf): http://www.epic.org/privacy/councilman/kerr_amicus.pdf EPIC's United States v. Councilman Page: http://www.epic.org/privacy/councilman Download.com Bans Software With Adware or Spyware Download.com, a major online source for computer software programs, has announced that it will not host any software that tests positive for adware or spyware. In response to the announcement, several software companies already have removed spyware and adware from their products. Speaking at an event associated with the anti-spyware move, EPIC West Director Chris Hoofnagle argued that there should also be a discussion about whether third-party advertising cookies constitute a form of objectionable online tracking that should be subject to anti-spyware regulation. Download.com Spyware Confidential: http://blogs.download.com/Spyware-Confidential/ ========================================================================  EPIC Bookstore: Judith Collins: Prevent Identify Theft in Business ======================================================================== Judith M. Collins, Preventing Identity Theft in Your Business: How to Protect Your Business, Customers, and Employees (John Wiley & Sons 2005) http://www.powells.com/cgi-bin/biblio?inkey=2-047169469x-0 "[R]ecent studies indicate that at least 50 percent or more of identity thefts are committed inside the workplace by a dishonest few employees who steal the Social Security, credit card, banking, or other numbers from their coworkers and customers," argues Judith Collins, a professor at the School of Criminal Justice at Michigan State University. Working from this premise, Collins suggests a four-factor model to address identity theft risks in the workplace: companies should secure personal information by focusing on personnel, processes, proprietary information, and transactions. Collins's book is chock full of helpful exercises and compliance systems for businesses to reduce the risk of misuse of personal information. While the book is a great starting point for businesses concerned about employee deviance, it does not address the larger problems driving identity theft, such as instant credit granting and poor authentication practices in the retail industry. Nevertheless, Collins's book provides useful guidance in securing personal information; guidance that is highly valuable in light of new requirements that businesses disclose security breaches. -- Chris Jay Hoofnagle ================================ EPIC Publications: "Privacy & Human Rights 2004: An International Survey of Privacy Laws and Developments" (EPIC 2004). Price: $35. http://www.epic.org/bookstore/phr2004 This survey, by EPIC and Privacy International, reviews the state of privacy in more than sixty countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, as well as recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2003: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price: $40. http://www.epic.org/bookstore/pls2003 The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00& EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================  Upcoming Conferences and Events ====================================================================== 2005 IEEE Symposium on Security and Privacy. IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research. May 8-11, 2005. Berkeley, CA. For more information: http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html. Symposium "Lier la recherche sur les technologies de l'information et de
la communication (TICs) au développement" (Link Research on Information
and communication Technologies to Development). Azur Développement.
Brazzaville, Republic of Congo. May 16-18, 2005 (in French only). For
http://www.azurdev.org/fr/symposium/ 58th Annual New York University Conference on Labor:Workplace Privacy: Here and Abroad. May 19-20, 2005. NYU School of Law. For more information: http://www.law.nyu.edu/centers/labor/conferences/ Sixth Annual Institute on Privacy Law: Data Protection - The Convergence
of Privacy & Security. May 23-24, 2005. Atlanta, Ga. For more
http://www.pli.edu/product/program_detail.asp?ptid=511&stid=3&id= EN00000000019985 SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 6-7, 2005. San Francisco, CA. For more information: http://www.pli.edu/ Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 20-21, 2005. New York, NY. For more information: http://www.pli.edu/ Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
http://www.ics.uci.edu/~kobsa/PEP05. 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information: