EPIC logo

                             E P I C  A l e r t
Volume 12.12                                              June 16, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Documents Spark Congressional Inquiry
[2] REAL ID Next Steps Debated at EPIC's National ID Symposium
[3] US Backs Down on Biometric Passports for European Union
[4] USA PATRIOT Act Reauthorization Debates Heat Up
[5] Senators, FTC At Odds on Solutions to Curbing Identity Theft
[6] News in Brief
[7] EPIC Bookstore: Johnny Long: Google Hacking for Penetration Testers
[8] Upcoming Conferences and Events

[1] EPIC Documents Spark Congressional Inquiry

Congresswoman Carolyn Maloney has asked the Social Security
Administration to explain its new policy on disclosing personal
information to law enforcement officials investigating the terrorist
attacks of Sept. 11, 2001. Congresswoman Maloney is seeking to determine
whether this policy violates the Privacy Act.

The request follows from a Freedom of Information Act request pursued by
EPIC earlier this year. The documents obtained by EPIC reveal that the
agency adopted a broad "ad hoc" policy. They show that the Social
Security Administration provides law enforcement agencies with personal
information merely upon a request stating that the data are sought "in
connection" with a 9/11 investigation. The documents also reveal that in
the days after 9/11, the Social Security Administration created a
"streamlined process" to "ensure expeditious and consistent processing
of the requests" from the Federal Bureau of Investigation and other
federal law enforcement agencies.

A Social Security Administration "policy instruction" encouraged agency
personnel to "use their knowledge of [agency] records to be as helpful
as possible" in responding to law enforcement requests. The instruction
gives as an example how, given a limited request to verify the match of
a name to a Social Security number, a particular printout can reveal
"additional information relevant to the investigation," such as
birthdates and other information in the agency records. Such disclosures
could be in violation of Exemption 7 of the Privacy Act, which limits
disclosures for law enforcement purposes to the particular portion of
the record that is requested.

In a letter to the Social Security Administration Commissioner,
Representative Maloney has asked what specific changes the agency made
in its disclosure policy after 9/11 and whether the agency's changes
were prompted by requests from law enforcement. Representative Maloney
also requested clarification of how the new policy complies with the
Privacy Act, a federal statute that prohibits disclosure of records
containing personal information for law enforcement purposes unless the
requester specifies the law enforcement activity for which the record is

The broad use of the agency's "ad hoc" disclosure policy represents a
switch from the Social Security Administration's codified policy. The
policy followed before 9/11 specified only two situations in which the
Administration could disclose personal information to law enforcement.
First, the agency could disclose information on a person who had been
indicted for or convicted of a violent crime. Second, personal
information could be disclosed when necessary to investigate or
prosecute a crime involving the social security program. A decision to
disclose in any other circumstances, such as "when necessary to respond
to life threatening situations," could be made only if not prohibited by
federal law.

Much of the information the Administration maintains is highly personal,
and participation in social security programs is mandatory.
Amplification of the agency's "ad hoc" policy, allowing disclosure of
such private data on persons whom the state is not prosecuting for a
violent crime or social security fraud, gives the agency virtually
unfettered disclosure authority. Congresswoman Maloney noted in her
letter that the agency apparently changed its policy without consulting
the House of Representatives committees that have jurisdiction over the
Privacy Act and the Social Security Administration.

Letter to the Social Security Administration from Congresswoman Maloney


Documents Obtained by EPIC Under FOIA (pdf):


EPIC FOIA Note #4: Just Say "9/11" To Obtain Social Security


[2] REAL ID Next Steps Debated at EPIC's National ID Symposium

On June 6, 2005, representatives of many organizations that raised
concerns about REAL ID and related proposals met in Washington, DC, to
discuss next steps at EPIC's symposium, "National ID at the Crossroads:
The Future of Privacy in America. The event included panels about the
technology, law, impact of, and international issues associated with

In May, Congress passed the supplemental military spending bill to which
the REAL ID Act was attached. REAL ID, a national ID program, mandates
federal identification standards and requires that state DMVs collect
sensitive personal information. Congress passed REAL ID without a
hearing even though legislators in both parties urged debate, and more
than 600 organizations opposed the bill. Under the REAL ID Act, state
DMVs will have to verify identification documents and the legal status
of immigrants. States are mandated to link their databases so that all
information collected by each DMV can be accessed.

Speakers at the symposium included Bruce Schneier, author of "Beyond
Fear: Thinking Sensibly About Security in an Uncertain World"; Barbara
Simons of the Association for Computing Machinery; Cheye Calvo of the
National Conference of State Legislatures, and Dennis Bailey of the
Coalition for a Secure Driver's License. Mr. Bailey was one of the few
supporters of the REAL ID Act at the symposium. He denied that REAL ID
creates a national ID card, and said that he would accept the costs of
implementing the legislation if it would mean there would be stronger
national security.

Other speakers rejected the idea that the mandates of REAL ID would make
the country more secure. Placing identification verification
responsibilities upon DMV workers, as opposed to trained Customs and
Immigration agents, would make it easier for false identities to be
created and more likely that legitimate citizens and residents would be
rejected as illegitimate. Mr. Schneier stated that the new licenses
would indeed become national ID cards in practice as licenses are used
for more than just driving - they're used when people apply for credit
cards or bank loans, write a check, get a library card or enter a
courthouse. These national ID cards, containing sensitive personal
information and possibly biometric identification, would be used several
times a day for non-driving purposes.

EPIC's June 6, 2005, National ID Symposium page:


EPIC's National ID Cards and REAL ID page:


Text of H.R. 418, the Real ID Act:


[3] US Backs Down on Biometric Passports for European Union

The Department of Homeland Security (DHS) has relaxed its rules
mandating that countries participating in the Visa Waiver Program issue
biometric passports by October 2005. The current law, enacted in 2002,
gives Visa Waiver countries until October to issue hi-tech passports
containing biometric information such as fingerprints or iris scans
embedded in machine-readable chips.

The new passport standards require digital photographs to match with a
person's unique physical characteristics by October and an embedded
identification chip later. The requirements are a drastic step back from
the initial biometric standards announced in 2002. Only six EU countries
are expected to issue passports that comply with the initial standards
in time to meet the October deadline. The U.K. does not expect to issue
biometric passports until the first quarter of 2006. The initial
deadline of October 2004 was pushed back when no country could meet the
new requirements in time. A separate requirement that passports be
machine-readable will be enforced beginning on June 26.

Each year, an estimated 13 million travelers from 27 Visa Waiver
Countries, mostly in Europe, are allowed to visit the U.S. for up to 90
days without obtaining a visa. Citizens in countries that do not
participate in the visa-waiver program, or do not meet the new passport
requirements, must obtain visas before entering the U.S.

This turnaround comes just one month after the State Department's
decision to revise plans to use passports with unencrypted RFID tags.
The switch was in response to criticism from EPIC, other civil liberties
groups, privacy and security experts, and the travel industry. The
proposal would have made personal data contained in hi-tech passports
vulnerable to unauthorized access.

EPIC, EFF et. al, Comments on RFID passports (pdf):


EPIC's RFID page:


[4] USA PATRIOT Act Reauthorization Debates Heat Up

In a surprise move, the House of Representatives voted 238-187 on
Wednesday to block the Justice Department and the FBI from using the USA
PATRIOT Act to seek library records and bookstore sales slips of terror
suspects. Lawmakers were concerned about the potential invasion of
privacy of innocent library users. The vote passed even after a veto
threat from President Bush.

Also this week, the House Committee on the Judiciary held its eleventh
oversight hearing on the USA PATRIOT Act on June 8, with Deputy Attorney
General James Comey testifying. The questions centered on provisions
concerning wiretapping, authority to search homes without prior
notification, interception of computer trespasser communications,
Internet service providers, and mandatory detention of non-citizen
suspected terrorists.

Several Members expressed concern about the erosion of civil liberties
caused by certain USA PATRIOT Act provisions. Representatives from both
parties noted that one option is to extend the law's "sunset" provision,
which will nullify certain provisions of the law on December 31, 2005,
unless Congress reauthorizes them, rather than permanently enact the
sunsetting provisions into law. Another option proposed is to apply a
sunset provision to the entire Act, not just the specified sections now
under review, so that Congress will scrutinize the law again at a later

The June 8 hearing continued on June 10. The witnesses included Carlina
Tapia-Ruano, First Vice President of the American Immigration Lawyers
Association; Dr. James J. Zogby, President of the Arab American
Institute; Deborah Pearlstein, Director of the U.S. Law and Security
Program; and Chip Pitts, Chair of the Board of Amnesty International
USA. The witnesses emphasized that the USA PATRIOT Act should be
designed to provide security while protecting individual rights. They
called for greater oversight and accountability and less secrecy.

Committee Chairman James Sensenbrenner began the hearing by stating that
the testimony of the witnesses was "far outside the scope" of the
hearing, noting that he believed the testimony did not bear on the
sixteen provisions of the USA PATRIOT Act under review. Mr.
Sensenbrenner followed the House rules closely, holding Members and
witnesses to the five-minute time limit. The Chairman abruptly closed
the hearing and walked out while witnesses continued to testify and
amidst protests from committee members.

Webcast of June 8, 2005, House Judiciary Committee Oversight Hearing on
Reauthorization of the USA PATRIOT Act:


Webcast of June 10, 2005, House Judiciary Committee Oversight Hearing on
Reauthorization of the USA PATRIOT Act (continued from June 8):


EPIC's USA PATRIOT Act Sunset page:


[5] Senators, FTC At Odds on Solutions to Curbing Identity Theft

The Senate Commerce Committee held a hearing today concerning the
problem of identity theft. All of the senators expressed their belief
that action had to be taken to curtail the growing number of
data-security breaches. Two common themes emerged from the hearing: the
need to create minimum security standards for a company's collection of
personal data and to notify individuals of the exposure of their
personal information.

Sen. Chuck Schumer proposed regulations for data brokers that would
require the implementation of both minimum security standards for data
and would also allow for FTC authentication of any possible information
buyers. Noting the recent CitiFinancial loss of data tapes, he proposed
that any data transported in a physical manner should utilize encryption
in order to minimize exposure. Sen. Dianne Feinstein said it was
necessary for civil penalties to accompany any federal notification
statute in order to ensure compliance.

William Sorrell, the Vermont Attorney General and President of the
National Association of Attorneys General, stated that any action taken
by the federal government regarding notification of consumers should
serve as a floor and that it not preempt more protective state laws. Mr.
Sorrell also testified that federal statutes should not preempt any
state efforts to develop "credit freeze" laws. (Credit reports that are
"frozen" or sealed can be made available only when the individual
"thaws" her file, and specifies to whom, when, or in what contexts the
file can be released.)

Members of the Federal Trade Commission testified and called on Congress
to enact tougher legislation on data brokers and businesses entrusted
with sensitive consumer data. FTC commissioners consistently rejected a
number of senators' suggestions, such as a national registry of data
brokers, the creation of an Office of Identity Theft, and an end to the
use of consumers' Social Security numbers by businesses. Commissioner
Thomas Leary stated that it was impractical to halt the longtime use of
the SNN by businesses. FTC commissioners suggested stronger laws to
limit the legitimate use of the SSN as an identifier.

Since 2001, EPIC has investigated commercial data aggregators such as
Choicepoint, which collect personal information on individuals and sell
the data to third parties. In May, EPIC Executive Director Marc
Rotenberg testified about identity theft and commercial data brokers
before the same Senate committee. EPIC recommended passage of both the
Notification of Risk to Personal Data Act, S. 751, and the Comprehensive
Identity Theft Prevention Act, S. 768. EPIC also recommended the
application of the federal Privacy Act to any information broker that
sells personal information to federal agencies.

Senate Commerce Committee Hearing on June 16, 2005:


EPIC's Testimony Before the Senate Committee on May 10, 2005 (pdf):


EPIC's Choicepoint page:


[6] News in Brief

FOIA Note #6: Election Agency Proposes Secret Voting Standards

Documents obtained by EPIC under the Freedom of Information Act reveal
the complete draft standards for voting technology. The standards, which
were developed by a technical committee for the Election Assistance
Commission, could determine how votes will be tabulated in future
elections. Other documents obtained by EPIC reveal vendor attempts to
influence the development of the standards.

EPIC FOIA Note #6:


Documents Obtained by EPIC Under FOIA:


EPIC Joins Civil Liberties Brief in Newsletter Subscriber Privacy Case

EPIC joined eight civil liberties organizations to submit a "friend of
the court" brief in Forensic Advisors, Inc. v. Matrixx Initiatives,
Inc., which is currently before the Maryland Court of Special Appeals.
In this case, Matrixx, a pharmaceutical company, is attempting to force
Timothy Mulligan, a newsletter publisher, to disclose his subscriber
list so that Matrixx can use it in connection with a lawsuit it filed
against numerous unidentified people who posted derogatory comments
about Matrixx on Internet discussion boards. The brief argues in favor
of protecting the subscriber list under a Maryland law that protects
journalists' sources. It also argues that the subscriber list is
protected under the First Amendment, since disclosure of the list would
deter readership and violate constitutionally established privacy
rights. The brief proposes a five-factor test for determining when a
subscriber list should be disclosed, essentially requiring the party
demanding the list to prove that the list is essential to vindicate its
legal rights, that those rights outweigh the privacy rights of the
people on the list, and that it is in the public interest for the list
to be disclosed.

Amicus Brief Submitted by EPIC, et. al (pdf):


Report Criticizes State of Open Government Under Ashcroft

Watching Justice recently released a report concerning open government
under former Attorney General John Ashcroft. The report criticizes the
Justice Department's relationship with the media and finds that Mr.
Ashcroft's narrow interpretation of the federal FOIA made it harder to
get information from the government. The report states that the current
administration views open government "as a nuisance at best." Reporters
and advocates are urged to give more attention to government initiatives
and to make more FOIA requests in general.

"Open Government in the Ashcroft Era: What Went Wrong, and How to Make
it Right":


Survey: Congress Not Meeting Challenge of Data Protection

A recent survey shows that many D.C. opinion leaders believe Congress
has failed to keep consumer data safe. The survey by iQ Research and
Consulting polled more than 400 "senior level professionals" with media,
government, public policy or technology jobs in the D.C. area. Greater
than 80% of the those surveyed felt that Congress had not done enough to
protect Social Security numbers; almost 70% felt that congressional
attempts to protect consumer credit reports from unauthorized access
were largely unsuccessful.

Joint Adobe and RSA Security Press Release About Survey:


EPIC's Choicepoint page: 


Justice Dept. Inspector General Criticizes Terror Screening Center

The Department of Justice Inspector General released an audit report
this week concluding that the United States' new centralized terror
database is missing names that should be in it and contains inaccurate
information about other people. The Terrorist Screening Center's
database consolidated about a dozen government watch lists, which can be
accessed by intelligence officials and local, state, and federal law
enforcement agents. "While the TSC had successfully created and deployed
a consolidated watch list database, the TSC has not ensured that the
information in that database is complete and accurate," the report
determined. Furthermore, the report found that some information about
publicly known terrorists was missing, and the system has mistakenly
identified people as being in the database. In response to the report,
the Terrorist Screening Center released a response stating, among other
things, that it will not establish an Office of the Ombudsman to take
responsibility for redress issues arising from use of the information in
the database.

Justice Department Inspector General's report:


European Parliament and NGOs Oppose Data Retention Scheme

The Council of the European Union will continue with a proposal for an
EU-wide regime of data retention, despite its rejection by the European
Parliament. The proposal, introduced jointly by France, the UK, Ireland
and Sweden in April 2004, is intended to ease judicial cooperation in
criminal matters relating to the retention of data processed and stored
by ISPs and telcos. But the proposal was rejected by the European
Parliament after members considered a report that highlights problems
with the proposal's scope and legal basis. Last week, a group of
European NGOs, including EDRI, Privacy International and Statewatch.
wrote to Parliament members urging a rejection of the proposal. The
letter stated that data retention is an invasive tool that interferes
with the private lives of everyone in Europe, and retaining personal
data on everyone is an illegal practice in violation of Article 8 of the
European Convention on Human Rights because it is disproportionate,
security gained from retention may be illusory, and the means through
which this policy is being pursued is illegitimate.

Letter from European NGOs to European Parliament:


EPIC's Data Retention page:


Senate Judiciary Committee Approves Measure To Tweak FOIA

The Senate Judiciary Committee has approved a measure that states any
future legislation establishing exemptions to the Freedom of Information
Act be stated clearly within the text of the bill. The measure,
sponsored by Sen. John Cornyn, and Sen. Patrick Leahy is a companion
bill to broader legislation to overhaul FOIA. The broader bill has not
yet been considered by the committee. The bill would make major changes
to FOIA for the first time in more than a decade by calling for speedier
responses for requests and for providing incentives for federal agencies
to answer them.

Information about S. 1181:


[7] EPIC Bookstore: Johnny Long: Google Hacking for Penetration Testers

Johnny Long, Google Hacking for Penetration Testers (Syngress 2005)


Johnny Long's "Google Hacking for the Penetration Testers" is an
excellent resource on the Google Internet search engine.  Anyone who
uses Google should read the first two chapters of this book, as it
explains the basic and more advanced search techniques available.  After
chapter two, things get interesting. Long explains how to use Google to
access information anonymously, and then dives into discovering site
vulnerabilities and personal information on the Internet. It concludes
with common-sense approaches to securing your own servers against the
search techniques explained earlier in the book.

--Chris Jay Hoofnagle


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 20-21, 2005. New York, NY. For more information: http://www.pli.edu/ Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
http://www.ics.uci.edu/~kobsa/PEP05. Access to Information: Analyzing the State of the Law. Riley
Information Services. September 8, 2005. Ottawa, Ontario. For more
information: http://www.rileyis.com/seminars/ 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm. Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of
"Privacy and Human Rights." October 20-21, 2005, Auditorio Alberto
Lleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo de
Estudios en Internet, Comercio Electrónico, Telecomunicaciones e
Informática (GECTI), Law School of the Universidad de los Andes, Bogota,
Colombia, Computer Professional for Social Responsibility-Peru
(CPSR-Perú). For more information:
http://www.thepublicvoice.org/events/bogota05/default.html. 6th Annual Privacy and Security Workshop. Centre for Innovation Law and Policy (University of Toronto) and the Center for Applied Cryptographic Research (University of Waterloo). November 3-4, 2005. University of Toronto. For more information: http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/announcement.html The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis. Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 12.12 ---------------------- .