EPIC logo

                             E P I C  A l e r t
Volume 12.10                                              May 20, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] More Than 40 Groups Oppose Homeland Security's Weak Privacy Rules
[2] EPIC Documents: DC Metro's SmarTrip Collects Vast Traveler Data
[3] Congress Passes Controversial ID Bill Without Debate
[4] Study Shows Data Brokers' Files Error-Ridden, Acxiom Unresponsive
[5] House Bill Would Turn SSN Into a National Identifier
[6] News in Brief
[7] EPIC Bookstore: Jensen & Draffan's "Welcome to the Machine"
[8] Upcoming Conferences and Events

[1] More Than 40 Groups Oppose Homeland Security's Weak Privacy Rules

A coalition of 41 groups including EPIC, American Civil Liberties Union,
Council On American-Islamic Relations, and People For The American Way,
submitted comments opposing the Department of Homeland Security's plan
to exempt a vast database from legal requirements that protect privacy
and promote government accountability. The coalition stated that the
agency's plan leaves individuals without the ability to correct
inaccurate information and without protection against possible abuse of
the database.

According to DHS, the Homeland Security Operations Center Database
("HSOCD"), will serve as "a single, centralized repository for gathered
information." The agency seeks broad exemptions from key fair
information principles such as the Privacy Act of 1974 requirements that
an individual be permitted access to personal information, that an
individual be permitted to correct and amend personal information, and
that an agency assure the reliability of personal information for its
intended use. These exemptions would allow DHS to track and profile
individuals, including American citizens who seek to aid homeland
security investigations, with little accountability.

For this database, DHS proposes to deny individuals the civil remedies
they have against an agency for failure to comply with its obligations
under the Privacy Act. Providing individuals with the right to judicial
review is crucial because the new database will have information not
only about suspected criminals, but also about people who offer
information about terrorism, as well as current and former DHS employees
and contractors. Though the Privacy Act requires an agency to provide
reasons why the database should be exempted, DHS has not yet provided an

The coalition asked DHS to create privacy rules for the database that
would 1) provide individuals judicially enforceable rights of access and
correction; 2) limit the collection of information to only that which is
necessary and relevant; and 3) respect individuals' rights to their
information that is collected and maintained by the agency.

Coalition Comments on the Proposed Exemptions for the DHS Database (pdf):


The Department of Homeland Security's Notice of Privacy Act Exemptions
for the Database:


NPR Story: Privacy Groups Sound Warning on Homeland Security Database


EPIC's Privacy Act of 1974 page:


[2] EPIC Documents: DC Metro's SmarTrip Collects Vast Traveler Data

Documents recently obtained by EPIC from the Washington Metropolitan
Area Transit Authority show the extensive scope of the data collected
and processed by the SmarTrip program. SmarTrip uses permanent,
rechargeable farecards embedded with radio frequency identification
(RFID) chips to keep track of the cards' values and travel itineraries.
SmarTrip cards can be used to pay fares on the Metro's rail and bus
systems, as well as for parking in Metro parking lots.

The documents show that the SmarTrip program can collect a vast amount
of information about a passenger, including personal information such as
name, address, and phone number; the place and time of the passenger's
arrival in the Metro system; the place where the passenger exits the
system; the amount of time the passenger spends traveling within the
system; and the time and date the passenger enters and leaves a Metro
parking lot. This data can be used to create a detailed profile of the
SmarTrip cardholder. Most similar records held by state agencies are
protected by law. Currently, only an internal Metro policy protects the
information collected through the SmarTrip system.

The Washington Metro announced this week  a new  privacy policy for the
collection and use of SmarTrip data or credit card usage in the Metro
system. The policy limits disclosure without prior written authorization
from the person. It assures individuals access to their own information
and an accounting of disclosures. The Board also approved changes to its
Public Access to Records Policy,  more closely aligning it with the
federal Freedom of Information  Act. The changes to that policy
establish certain exemptions and time frames for processing requests,
provide for judicial review, and exempt individual SmarTrip data from
disclosure except in limited instances.

EPIC supported  the changes, but noted that the new policy will permit
disclosure of passengers' personal information -- including all SmarTrip
information -- upon written request from the head of a federal, state or
local government agency in the context of a specific civil or criminal
law enforcement activity. 

Documents obtained by EPIC from the Washington Metropolitan Area Transit
Authority (pdf):


EPIC FOIA Note #5: DC Metro Tracks Travelers:


EPIC's comments to DC Metro:


Metro's Proposed Amended Public Access to Records Policy and Proposed
Privacy Policy (approved May 19, 2005) (pdf):


Announcement of New Metro Privacy and Open Records Policy


[3] Congress Passes Controversial ID Bill Without Debate

Congress has passed the supplemental military spending bill to which the
REAL ID Act was attached, and President Bush will soon sign the
legislation. The REAL ID Act, a national ID program, mandates federal
identification standards and requires that state DMVs collect sensitive
personal information. Congress passed REAL ID without a hearing even
though legislators in both parties urged debate.

Under the REAL ID Act, state DMVs will have to verify identification
documents and the legal status of immigrants. States are mandated to
link their databases so that all information collected by each DMV can
be accessed. Several state DMV offices have recently been the targets
of identity thieves.

The National Governors Association and National Conference of State
Legislatures are two of more than 600 organizations that oppose the REAL
ID Act. The NGA and NCSL urged Congress to reject the REAL ID Act and
instead remain committed the driver's license and ID card provisions of
the Intelligence Reform and Terrorism Prevention Act, which passed in
December with bipartisan support.

States can choose to opt-out of the program, but REAL ID mandates that
licenses from opt-out states cannot be used as identification for
federal purposes. This means that residents of states that reject the
REAL ID program will not be able to board a plane or enter a federal
building with their licenses.

Rep. James Sensenbrenner, the act's sponsor, has estimated that enacting
REAL ID would cost $100 million. However, the National Conference of
State Legislatures said it cost states $500 million to $700 million.
Whatever the cost, Congress has not yet allocated any funds for the

EPIC's National ID Cards and REAL ID page:


Text of H.R. 418, the Real ID Act:


Letter from Bipartisan Senate Coalition on Need for Hearing:


Letter from National Governors Association, American Association of
Motor Vehicle Administrators, National Conference of State Legislatures,
Council of State Governments urging rejection of REAL ID:


[4] Study Shows Data Brokers' Files Error-Ridden, Acxiom Unresponsive

PrivacyActivism, a San Francisco-based privacy group, released a study
Thursday showing that commercial data brokers Choicepoint and Acxiom
maintain files with significant errors. The study also showed that
Acxiom was unresponsive to a number of requests made by individuals
attempting to obtain their own dossiers.

In the study, 11 people requested their Choicepoint and Acxiom dossiers.
Although the sample size was small, the results showed significant
problems at both commercial data broker companies. All 11 participants
were successful in obtaining their Choicepoint reports quickly, but all
found errors in their files. Of the sample, 73 percent found errors in
basic biographical information in their Choicepoint reports, which
includes name, date of birth, current address, and phone number. Other
fields in the reports had errors too, such as length of residence at
current and past addresses, real property owned, purchase/sale dates of
real property. The group also found that three reports identified
individuals incorrectly as officers of corporations. Choicepoint
recently claimed that only .0008 percent of the company's background
checks have incorrect information, according to the Wall Street Journal.

PrivacyActivism found that only six of the 11 requestors were able to
obtain their dossiers from Acxiom. The six that did obtain their reports
had to wait an average of 89 days after their requests to receive a
response from Acxiom. At least one biographical information error was in
67 percent of the Acxiom reports. One Acxiom report identified an
individual by the incorrect gender.

PrivacyActivism study on Choicepoint and Acxiom:


EPIC's Choicepoint page:


[5] House Bill Would Turn SSN Into a National Identifier

EPIC Executive Director Marc Rotenberg testified before the House
Subcommittee on Immigration, Border Security, and Claims on the "Illegal
Immigration Enforcement and Social Security Protection Act of 2005."
EPIC stated that the bill has significant flaws, among them are the lack
of adequate privacy and security safeguards.

The bill requires Homeland Security to create a database containing
information on employment eligibility, as well as information on all
citizens and non-citizens living in the country legally. This would
transfer SSN record information from the Social Security Administration
to the Department of Homeland Security, and would dramatically expand
the mission of DHS to include determining who is eligible to work in the

The bill would require each citizen and non-citizen in the U.S. to
provide this new national identity card to each prospective employer.
Supporters of the bill deny that it will be used as a national ID card,
and point a disclaimer in the bill stating: "This card shall not be used
for the purpose of identification." EPIC stated that employers, facing
stiff penalties for hiring ineligible workers, likely would use the SSN
card as a de facto identification card, no matter what disclaimer was
placed onto the card.

EPIC testified that the SSN was never intended to be a national
identifier, and should not be used as such. The subcommittee was urged
to limit the use of the Social Security Number, and to create strong
safeguards for this sensitive personal information.

EPIC's Testimony Before the House Subcommittee on Immigration, Border
Security, and Claims (pdf):


Text of H.R. 98: The Illegal Immigration Enforcement and Social Security
Protection Act of 2005:


View a Webcast of the May 12, 2005 Hearing:


[6] News in Brief

EPIC Testifies in Senate on ID Theft and Data Broker Industry

EPIC Executive Director Marc Rotenberg testified before the Senate
Committee on Commerce, Science and Transportation on identity theft and
commercial data brokers last week. EPIC highlighted the need for a
legislative response to the problem of commercial data brokers, such as
LexisNexis, Choicepoint, and Acxiom, that house and exploit troves of
personal information about individuals. EPIC recommended that the
Gramm-Leach-Bliley Act's Security Safeguards Rule should be applied to
data brokers, and the California data security breach notice law should
be extended to the federal level. EPIC also recommended passage of S.
768, the Comprehensive Identity Theft Protection Act, which would limit
the purposes for which data brokers' information could be used, and
ensure that individuals have a right to access and correct their files.

EPIC's Testimony Before the Senate Committee (pdf):


View a Webcast of the May 10, 2005 Hearing:


EPIC's Choicepoint Page:


Air Travelers Stripped Bare With X-ray Machine

The Transportation Security Administration plans to introduce "virtual
strip search" X-ray machines at select U.S. airports later this year.
The controversial systems, which are already used at by U.S customs
agents at 12 airports to screen passengers suspected of carrying drugs,
will scan general air travelers. Security workers using the $100,000
refrigerator-size machines can see through clothes and show images of a
person's nude body. The machines use "backscatter" technology, which
bounces low-radiation X-rays off of a passenger to produce photo-quality
images of metal, plastic and organic materials underneath clothes. TSA
has not announced when or where it will test the machines.

EPIC's Air Travel Privacy page:


Survey: U.S. Employers Likely To Monitor, Use Surveillance Systems

A survey of 526 U.S. companies found that 75 percent of companies
monitor workers' Web site connections, 50 percent store and review
employees' computer files, and 55 percent review e-mail messages. The
report by the American Management Association and the ePolicy Institute
also found that 51 percent of the companies surveyed use video
monitoring, up from 33 percent in 2001. Of the organizations that
monitor their employees, 80 percent inform workers that the company is
monitoring content, keystrokes and time spent at the keyboard; 82
percent notify employees that the company stores and reviews computer
files; 86 percent alert employees to e-mail monitoring; and 89 percent
notify employees that their Web usage is being tracked.

AMA and ePolicy's 2005 Electronic Monitoring & Surveillance Survey:


EPIC's Workplace Privacy page:


Students Build Database on a Shoestring, Public Records

Computer science graduate students with $50 and a tight timeline were
able to create databases rich with personal information from legal,
publicly available databases.  Student groups, led by Johns Hopkins
University Professor Aviel Rubin, obtained more than 1 million records,
including death records, property tax information, campaign donations,
phone books, and business permits. Mr. Rubin and his students were
profiled recently by the New York Times, along with the work of Betty
Ostergren, the "Virginia Watchdog," who has found the Social Security
numbers of prominent officials, including Colin Powell and Porter Goss,
in public records.

New York Times Article on the Johns Hopkins Students:


The Virginia Watchdog, Betty "BJ" Ostergren:


EPIC's Social Security Numbers page:


Some U.S. Visitors Must Have High-tech Passports in June

Citizens from the 27 "visa-waiver" countries must have machine-readable
passports by June 26 or they could be denied entry into the U.S. Any
airline, cruise ship or other transportation carrier that allows a
visa-waiver citizen to travel without a machine-readable passport will
be fined $3,300 per person. People with immediate travel plans who
cannot obtain a machine-readable passport in time should apply for a
U.S. visa. The Department of Homeland Security said the machine-readable
passports will speed the customs process for travelers. This deadline is
different from the October 2005 deadline that the State Department has
set for the 27 visa waiver countries to obtain passports containing
biometric data.

State Department's Visa Waiver Program page:


EPIC's Air Travel Privacy page:


Homeland Security Seeks More Data on Europeans

Department of Homeland Security Secretary Michael Chertoff announced
this week that the United States would seek additional information from
European leaders about European air passengers heading to the United
States. The United States and Europe currently have in place an
agreement that permits the transfer of European passenger data. Many
European political leaders believe this violates European privacy laws.
The European Parliament has brought a legal challenge against the
current policy.

Department of Homeland Security


EPIC's Passenger Profiling page


[7] EPIC Bookstore: Jensen & Draffan's "Welcome to the Machine"

Derrick Jensen & George Draffan, Welcome to the Machine: Science,
Surveillance, and the Culture of Control, (Chelsea Green Publishing Co.


"In their new collaboration for the "Politics of the Living" series,
Derrick Jensen and George Draffan reveal the modern culture of the
machine, where corporate might makes technology right, government money
feeds the greed for mad science, and absolute surveillance leads to
absolute control--and corruption. Through meticulous research and
fiercely personal narrative, Jensen and Draffan move beyond journalism
and exposť to question our civilizationís very mode of existence.
Welcome to the Machine defies our willingness to submit to the
institutions and technologies built to rob us of all that makes us
human--our connection to the land, our kinship with one another, our
place in the living world."


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Sixth Annual Institute on Privacy Law: Data Protection - The Convergence
of Privacy & Security. May 23-24, 2005. Atlanta, Ga. For more
http://www.pli.edu/product/program_detail.asp?ptid=511&stid=3&id= EN00000000019985 Debating REAL ID: A New National Driver's License? Center for American Progress. May 26, 2005. Washington, DC. For more information: http://www.americanprogress.org/site/apps/nl/content3.asp?c=biJRJ8OVF&b= 616855&content_id={3FD4782D-1E53-4440-ADF8-6E7DF0CF851C}¬oc=1 SEC2005: Security and Privacy in the Age of Ubiquitous Computing. Technical Committee on Security & Protection in Information Processing Systems with the support of Information Processing Society of Japan. May 30-June 1, 2005. Chiba, Japan. For more information: http://www.sec2005.org. Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 6-7, 2005. San Francisco, CA. For more information: http://www.pli.edu/ Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 20-21, 2005. New York, NY. For more information: http://www.pli.edu/ Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
http://www.ics.uci.edu/~kobsa/PEP05. Access to Information: Analyzing the State of the Law. Riley
Information Services. September 8, 2005. Ottawa, Ontario. For more
information: http://www.rileyis.com/seminars/ 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm. 6th Annual Privacy and Security Workshop. Centre for Innovation Law and Policy (University of Toronto) and the Center for Applied Cryptographic Research (University of Waterloo). November 3-4, 2005. University of Toronto. For more information: http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/announcement.html The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 12.09 ---------------------- .