EPIC logo

                             E P I C  A l e r t
Volume 12.11                                              June 2, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] Report: Consumers Vulnerable to Profiling, Price Discrimination
[2] EPIC Urges Close Scrutiny of Sunsetting USA PATRIOT Act Provisions
[3] Government Proposes to "Virtually Strip Search" Air Passengers
[4] Government Report: Federal Agencies' RFID Plans Flawed
[5] Conference in Congo Covers Privacy Policies and Internet Governance
[6] News in Brief
[7] EPIC Bookstore: Larry Selden & Geoffrey Colvin: Good & Bad Customers
[8] Upcoming Conferences and Events

[1] Report: Consumers Vulnerable to Profiling, Price Discrimination

A new report released by the Annenberg Public Policy Center shows that
consumers are largely unaware of how their personal information is used
by businesses, and they object to behavioral profiling, price
discrimination, and the purchase of their personal information from
database companies. The report also found that the respondents
incorrectly believe that "laws prevent online and offline stores from
selling their personal information," and that "stores cannot charge them
different prices based on what they know about them." The report is
based on a phone survey of 1,500 Internet-using adults. It focuses on
two trends that are driven by the collection of personal information:
behavioral targeting, where individuals are presented different products
based on their shopping habits; and price discrimination, where
individuals are charged differently based on what the business knows
about consumers.

Using "first degree" price discrimination, a company can determine the
maximum that an individual is willing to pay for a product, and engage
in "dynamic" pricing. This enables sellers to hawk the same products at
the same time to different people at different prices.  Dynamic pricing
is even easier to employ in an online environment, where users are
tracked by registration data and cookies.

The report was presented a press conference at the National Press Club
by Annenberg Public Policy Center Professor Joe Turow. Joining Professor
Turow at the event were FTC Commissioner John Liebowitz, EPIC Executive
Director Marc Rotenberg, and Professor Rene Hobbs.

Mr. Rotenberg said that the report demonstrated the need for the Federal
Trade Commission to safeguard consumer privacy. "Privacy policies have
failed to provide meaningful protection for American consumers. Online
profiling also raises the risk of 'digital redlining' that will exclude
some consumers from the marketplace. It is the FTC's role to safeguard
online privacy, and crackdown on unfair business practices," said Mr.

The Annenberg report recommends three courses of action. First, because
75% of Internet users incorrectly believe that a site with a privacy
policy does not share information with third parties, companies should
use the label "Using Your Information" rather than "Privacy Policy" to
describe their data handling practices. Second, school systems should
develop consumer education and media literacy curricula. Finally, in
light of a finding that the vast majority of respondents believe that
they could be harmed by commercial collection of personal information,
the study's authors called for more transparency in data handling

"Open to Exploitation: American Shoppers Online and Offline" by
Annenberg Public Policy Center of the University of Pennsylvania (pdf):


EPIC's Choicepoint page:


[2] EPIC Urges Close Scrutiny of Sunsetting USA PATRIOT Act Provisions

The Senate Select Committee on Intelligence is considering legislation
that would reauthorize the sunsetting provisions of the USA PATRIOT Act
and expand the FBI's investigative powers. Included in the draft bill
are provisions that would (1) give the FBI greater authority to demand
that the U.S. Postal Service perform mail covers and (2) permit the FBI
to issue "administrative subpoenas" in foreign intelligence and
terrorism investigations.

EPIC issued a statement for the record for the Committee's May 24
hearing.  EPIC urged the Committee to carefully consider whether each
sunsetting provision should be reauthorized as written or whether
modifications are necessary, rather than simply voting to renew all
provisions as currently written.  In addition, EPIC urged the Committee
to oppose the expansion of the FBI's investigative powers absent
evidence that such expansion is necessary.  EPIC said that the executive
branch has not publicly demonstrated a need for providing greater
authority to the FBI, that there is no indication that such authority is
necessary for the FBI to ensure national security, and that the
provisions reach far beyond any authority publicly sought by the FBI.

In addition, EPIC, along with twenty-four other organizations, sent a
letter to the Chairman and Vice Chairman of the Committee urging them
not to grant the FBI authority to write their own search and disclosure
orders without judicial approval. The letter reminded the Committee of
U.S. Attorney General Alberto Gonzales's repeated emphasis that the
prior judicial approval required under current law is a safeguard
against abuse and that current law gives the FBI far-reaching compulsory
powers to obtain any relevant information when it is investigating
terrorism. Additionally, the letter stated that the burden of proof
established by the 9/11 Commission for retaining and adding particular
governmental powers has not been satisfied and the adoption of the
provision would give the FBI unjustified and unaccountable new powers.

EPIC Statement for the Record: 


Joint Opposition Letter:


EPIC's USA PATRIOT Act Sunset page:


[3] Government Proposes to "Virtually Strip Search" Air Passengers

The Transportation Security Administration (TSA) recently announced that
it would expand the use of new X-ray machines to general air passengers
traveling at 16 select airports throughout the U.S. TSA said it believes
that use of the machines to search air travelers is less invasive than
pat-down searches. However, the use of these machines, which show images
of a person's naked body, do pose a risk to the privacy rights of air

The machines use high-energy X-rays that are more likely to scatter than
penetrate materials as compared to lower-energy X-rays used in medical
applications. Although this type of X-ray is said to be harmless it can
move through other materials, such as clothing. A passenger is scanned
by moving a single high energy X-ray beam rapidly over her body. The
signal strength of detected backscattered X-rays from a known position
then allows  a highly realistic image to be reconstructed. In the case
of airline  passenger screening, the image is of her nude form. The
image resolution of the technology is high, so the picture of the body
presented to screeners is detailed.

The $100,000 backscatter machines were previously tested at 12 airports
by U.S. Customs agents who screened passengers suspected of carrying
drugs. The machines are also being used at London's Heathrow airport.
TSA has not formally announced when or where the backscatter machines
will be used to screen regular air travelers. However, media reports
have revealed some of the airports where the machines will be used. The
airports include: Baltimore/Washington, Dallas/Fort Worth, Jacksonville,
Phoenix and San Francisco.

Legal experts believe that the use of the device by government agencies
could be an impermissible search, under both the US constitution and
European privacy law.

EPIC's Backscatter Technology page:


EPIC's Air Travel Privacy page:


[4] Government Report: Federal Agencies' RFID Plans Flawed

The Government Accountability Office (GAO) released a report last week
that found thirteen government agencies are using or plan to use Radio
Frequency Identification (RFID) tags, but only one agency identified any
legal or privacy issues with the use of the tags. The federal agencies
plan to use RFID in identification cards, and to track employees'
movements and sensitive documents. The report did not address the use by
agencies of RFID data that is obtained from third parties.

RFID is used to electronically identify, track, and store information on
chips or tags. Tests have shown that RFID tags can be read at a distance
of thirty feet, which presents significant privacy and security risks.
The privacy risks involve the tracking of individuals, profiling of
individuals based on the collection of data, and the use of data for
purposes other than that which they were collected for. The security
risks relate to data confidentiality, integrity and availability. These
privacy and security risks are inherent in "skimming" and
"eavesdropping." Skimming occurs when information from an RFID chip is
surreptitiously gathered by an unauthorized individual. Eavesdropping
occurs when an individual intercepts data as it is read by an authorized
RFID reader

The report identifies ways for government agencies to address the
privacy risks. These include: deactivation of the tags once their
function is fulfilled, blocking technology that disrupts transmission,
and an opt-in/opt-out framework for the data collected. RFID security
risks can be decreased with the use of authentication technology, which
prevents unauthorized readers from detecting the tags, and encryption
technology, which preserves confidentiality and integrity of

This report comes a month after the State Department revised its plans
to use passports with unencrypted RFID tags in response to criticism
from EPIC, other civil liberties groups, privacy and security experts,
and the travel industry. The proposal would have made personal data
contained in hi-tech passports vulnerable to unauthorized access.

Government Accountability Office Report on Agency Use of RFID (pdf):


EPIC, EFF et al, Comments on RFID passports (pdf):


EPIC's Spotlight on Surveillance for April 2005 Concerning Agency ID
Cards With RFID Tags:


EPIC's RFID page:


[5] Conference in Congo Covers Privacy Policies and Internet Governance

EPIC sponsored a two-day conference in Brazzaville, Republic of Congo,
on May 16 and 17, about linking research on information and
communication technologies (ICT's) to development. The Congo-based
non-governmental organization (NGO) Azur Développement organized a
workshop and a symposium to address research on ICT's, privacy policy
and Internet governance issues.

The symposium analyzed the current barriers and challenges to the
increase of research on ICT's in universities and high schools, the
impact of research on ICT's on the development of communities, and the
role of research on ICT's in the Information Society. EPIC Director of
the International Privacy Project Cedric Laurant talked about the recent
developments in privacy around the world, as well as about security
issues related to the use of e-mail and other Internet-based

Other speakers discussed the opportunities and challenges of the
Information Society, the ways to integrate research on ICT's in
community projects, Internet governance, ICT policy in Africa, the
challenges of electronic privacy in Congo, and the World Summit on
Information Society. Students shared reports on the challenges of
e-commerce in Congo; electronic privacy and security; research on ICT's
in Africa and their development in Congo; volunteers' use of ICT's;
freedom of speech on the Internet; and the integration of research on
ICT's in community projects.

The preparatory workshop, held the day before the symposium, allowed NGO
representatives and university students to explore the various ICT's
that can help them carry out their research and apply for grants when
developing public interest community projects. The workshop also
provided information on how to disseminate information and network with
others more efficiently using ICT's.

Presentations and Documents from the Conference (currently in French
only, but soon available in English):


Conference site (in French only):


[6] News in Brief

EPIC Voting Project Urges Privacy Safeguards for Databases

The National Committee for Voting Integrity has submitted comments to
the Election Assistance Commission on the proposed creation of
centralized statewide voter registration databases. NCVI said that the
registration systems must assure voter privacy by adhering to fair
information practices, and allow voters to verify information, correct
inaccurate information, and be assured that the information provided
will not be used for non-voting related purposes.

National Committee for Voting Integrity Comments:


EPIC's Voting page:


Court Rules Against Japan ID Plan

A Japanese court has ruled that individuals may not be required to
provide personal information for the National Residence Registry Network
or "Juki Net." The court said that Article 13 of the Japanese
constitution applied to all of the data sought by the government for the
database, which includes names, addresses, birth dates and sexes, plus
11-digit resident codes. A second court ruled that the first four pieces
of personal information, which people can access over the network, "do
not need to be highly protected." Similar lawsuits have been filed in 13
different courts across Japan, challenging the collection of data for
Juki Net.

Privacy and Human Rights 2004 (Japan)


"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.


System Allows Parents To Spy on Children's Lunches

Three school districts in Atlanta, Ga., last week began to allow parents
to monitor their children's meals through an electronic lunch payment
system called Mealpay.com, created by Horizon Software International.
Each time a student buys an item at the school cafeteria, whether
through an account or in cash, they key in their ID number and record
each purchase for parents to view online. Some parents are monitoring
meals as a way to stem obesity in their children.

MealPay.com FAQs:


New York City Plans to Install 400 More Surveillance Cameras

The New York City police department announced this week that it plans to
install as many as 400 surveillance cameras in high-crime and
high-traffic areas around the city. The cameras would record digital
videotape but would not be monitored live by police officers. They would
be in addition to 80 surveillance cameras already in New York. Other
cities with large camera surveillance systems, often financed with
federal grants, include Chicago, Baltimore and New Orleans. EPIC's May
Spotlight on Surveillance reported that such surveillance systems have
little effect on crime, and that it is more effective to place
additional officers on the streets and improve lighting in high-crime

EPIC's May Spotlight on Surveillance:


EPIC's Observing Surveillance Project:


Iowa Requires Parental Permission Before Obtaining Children's Fingerprints

Iowa has passed a law requiring police to obtain parents' permission
before taking children's fingerprints. The Child Identification and
Protection Act prohibits the unauthorized fingerprinting of children
except under certain circumstances, including certain criminal
situations. The act followed reports of police fingerprinting children
without their parents' permission.

Iowa Child Identification and Protection Act:


[7] EPIC Bookstore: Larry Selden & Geoffrey Colvin: Good & Bad Customers


Larry Selden & Geoffrey Colvin, Angel Customers and Demon Customers,
(Portfolio 2003)


A major clothing seller once declared that, "an educated consumer is our
best customer."  If retailers listen to Larry Selden and Geoffrey
Colvin's advice in "Angel Customers and Demon Customers, " the sucker
consumer will be the new "best" customer. Selden and Colvin argue that
businesses should divide their customer bases into "angel" and "demon"
consumers. Angels are not careful with their money; they charge $5,000
plane tickets and keep high credit card balances. Demons are those who
pay their credit card bills in full, buy products that are discounted,
return items, or those who spend sales associates' time asking questions
about products. In other words, the authors imply that frugal, smart
shoppers who do their homework are demonic. Angels should be rewarded,
while demons' behavior should be shaped so that it becomes more
profitable for the business. In extreme cases, demon customers should be
"fired." Already, Selden and Colvin's ideas have taken root at major
companies, including Best Buy and Fidelity Bank.

As with other books of this genre, "Angel Customers and Demon Customers"
could be less repetitive and emotional, but more importantly, it could
be more insightful. The authors devote only a single paragraph to the
privacy implications of their proposal.  There is no serious discussion
of the ethical dimension of price and service discrimination. In light
of the Annenberg Policy Report released this week, where respondents
objected strongly to both business practices, this book could be
improved by a thoughtful treatment of the bounds of "good' and "evil"
and the implications of categorizing people as such.

While some of the authors' proposals have merit, overall these practices
are dangerous.  On one level, the practices would seem to reduce
competition, as focus would be shifted away from developing the best
product at the lowest price to one where the focus is identifying the
loyal and shaping the thrifty into spendthrifts. Also, these practices
will favor the rich and unfairly penalize the poor and minorities
(according to the Wall Street Journal, Best Buy identified their most
desirable customers as "upper-income men, suburban mothers,
small-business owners, young family men, and technology enthusiasts").
With time, these practices could negatively alter the balance of power
between the consumer individual and businesses, encouraging one to ask:
"Should I return that item, or will it mark me as a demon?"

--Chris Jay Hoofnagle


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 6-7, 2005. San Francisco, CA. For more information: http://www.pli.edu/ Regulation: A Closer Look at Security, Data, and Ethics in Business. Association for Corporate Travel Executives. June 16, 2005. Washington, DC. For more information: http://www.acte.org/events/dc_061605/teaser.shtml Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 20-21, 2005. New York, NY. For more information: http://www.pli.edu/ Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
http://www.ics.uci.edu/~kobsa/PEP05. Access to Information: Analyzing the State of the Law. Riley
Information Services. September 8, 2005. Ottawa, Ontario. For more
information: http://www.rileyis.com/seminars/ 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm. 6th Annual Privacy and Security Workshop. Centre for Innovation Law and Policy (University of Toronto) and the Center for Applied Cryptographic Research (University of Waterloo). November 3-4, 2005. University of Toronto. For more information: http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/announcement.html The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 12.11 ---------------------- .