======================================================================== E P I C A l e r t ======================================================================== Volume 12.12 June 16, 2005 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_12.12.html ======================================================================== Table of Contents ========================================================================  EPIC Documents Spark Congressional Inquiry  REAL ID Next Steps Debated at EPIC's National ID Symposium  US Backs Down on Biometric Passports for European Union  USA PATRIOT Act Reauthorization Debates Heat Up  Senators, FTC At Odds on Solutions to Curbing Identity Theft  News in Brief  EPIC Bookstore: Johnny Long: Google Hacking for Penetration Testers  Upcoming Conferences and Events ========================================================================  EPIC Documents Spark Congressional Inquiry ======================================================================== Congresswoman Carolyn Maloney has asked the Social Security Administration to explain its new policy on disclosing personal information to law enforcement officials investigating the terrorist attacks of Sept. 11, 2001. Congresswoman Maloney is seeking to determine whether this policy violates the Privacy Act. The request follows from a Freedom of Information Act request pursued by EPIC earlier this year. The documents obtained by EPIC reveal that the agency adopted a broad "ad hoc" policy. They show that the Social Security Administration provides law enforcement agencies with personal information merely upon a request stating that the data are sought "in connection" with a 9/11 investigation. The documents also reveal that in the days after 9/11, the Social Security Administration created a "streamlined process" to "ensure expeditious and consistent processing of the requests" from the Federal Bureau of Investigation and other federal law enforcement agencies. A Social Security Administration "policy instruction" encouraged agency personnel to "use their knowledge of [agency] records to be as helpful as possible" in responding to law enforcement requests. The instruction gives as an example how, given a limited request to verify the match of a name to a Social Security number, a particular printout can reveal "additional information relevant to the investigation," such as birthdates and other information in the agency records. Such disclosures could be in violation of Exemption 7 of the Privacy Act, which limits disclosures for law enforcement purposes to the particular portion of the record that is requested. In a letter to the Social Security Administration Commissioner, Representative Maloney has asked what specific changes the agency made in its disclosure policy after 9/11 and whether the agency's changes were prompted by requests from law enforcement. Representative Maloney also requested clarification of how the new policy complies with the Privacy Act, a federal statute that prohibits disclosure of records containing personal information for law enforcement purposes unless the requester specifies the law enforcement activity for which the record is sought. The broad use of the agency's "ad hoc" disclosure policy represents a switch from the Social Security Administration's codified policy. The policy followed before 9/11 specified only two situations in which the Administration could disclose personal information to law enforcement. First, the agency could disclose information on a person who had been indicted for or convicted of a violent crime. Second, personal information could be disclosed when necessary to investigate or prosecute a crime involving the social security program. A decision to disclose in any other circumstances, such as "when necessary to respond to life threatening situations," could be made only if not prohibited by federal law. Much of the information the Administration maintains is highly personal, and participation in social security programs is mandatory. Amplification of the agency's "ad hoc" policy, allowing disclosure of such private data on persons whom the state is not prosecuting for a violent crime or social security fraud, gives the agency virtually unfettered disclosure authority. Congresswoman Maloney noted in her letter that the agency apparently changed its policy without consulting the House of Representatives committees that have jurisdiction over the Privacy Act and the Social Security Administration. Letter to the Social Security Administration from Congresswoman Maloney (pdf): http://www.epic.org/foia_notes/maloney_letter_052705.pdf Documents Obtained by EPIC Under FOIA (pdf): http://www.epic.org/foia_notes/ssa_foia.pdf EPIC FOIA Note #4: Just Say "9/11" To Obtain Social Security Information: http://www.epic.org/foia_notes/note4.html ========================================================================  REAL ID Next Steps Debated at EPIC's National ID Symposium ======================================================================== On June 6, 2005, representatives of many organizations that raised concerns about REAL ID and related proposals met in Washington, DC, to discuss next steps at EPIC's symposium, "National ID at the Crossroads: The Future of Privacy in America.” The event included panels about the technology, law, impact of, and international issues associated with identification. In May, Congress passed the supplemental military spending bill to which the REAL ID Act was attached. REAL ID, a national ID program, mandates federal identification standards and requires that state DMVs collect sensitive personal information. Congress passed REAL ID without a hearing even though legislators in both parties urged debate, and more than 600 organizations opposed the bill. Under the REAL ID Act, state DMVs will have to verify identification documents and the legal status of immigrants. States are mandated to link their databases so that all information collected by each DMV can be accessed. Speakers at the symposium included Bruce Schneier, author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World"; Barbara Simons of the Association for Computing Machinery; Cheye Calvo of the National Conference of State Legislatures, and Dennis Bailey of the Coalition for a Secure Driver's License. Mr. Bailey was one of the few supporters of the REAL ID Act at the symposium. He denied that REAL ID creates a national ID card, and said that he would accept the costs of implementing the legislation if it would mean there would be stronger national security. Other speakers rejected the idea that the mandates of REAL ID would make the country more secure. Placing identification verification responsibilities upon DMV workers, as opposed to trained Customs and Immigration agents, would make it easier for false identities to be created and more likely that legitimate citizens and residents would be rejected as illegitimate. Mr. Schneier stated that the new licenses would indeed become national ID cards in practice as licenses are used for more than just driving - they're used when people apply for credit cards or bank loans, write a check, get a library card or enter a courthouse. These national ID cards, containing sensitive personal information and possibly biometric identification, would be used several times a day for non-driving purposes. EPIC's June 6, 2005, National ID Symposium page: http://www.epic.org/events/id/ EPIC's National ID Cards and REAL ID page: http://epic.org/privacy/id_cards/ Text of H.R. 418, the Real ID Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00418: ========================================================================  US Backs Down on Biometric Passports for European Union ======================================================================== The Department of Homeland Security (DHS) has relaxed its rules mandating that countries participating in the Visa Waiver Program issue biometric passports by October 2005. The current law, enacted in 2002, gives Visa Waiver countries until October to issue hi-tech passports containing biometric information such as fingerprints or iris scans embedded in machine-readable chips. The new passport standards require digital photographs to match with a person's unique physical characteristics by October and an embedded identification chip later. The requirements are a drastic step back from the initial biometric standards announced in 2002. Only six EU countries are expected to issue passports that comply with the initial standards in time to meet the October deadline. The U.K. does not expect to issue biometric passports until the first quarter of 2006. The initial deadline of October 2004 was pushed back when no country could meet the new requirements in time. A separate requirement that passports be machine-readable will be enforced beginning on June 26. Each year, an estimated 13 million travelers from 27 Visa Waiver Countries, mostly in Europe, are allowed to visit the U.S. for up to 90 days without obtaining a visa. Citizens in countries that do not participate in the visa-waiver program, or do not meet the new passport requirements, must obtain visas before entering the U.S. This turnaround comes just one month after the State Department's decision to revise plans to use passports with unencrypted RFID tags. The switch was in response to criticism from EPIC, other civil liberties groups, privacy and security experts, and the travel industry. The proposal would have made personal data contained in hi-tech passports vulnerable to unauthorized access. EPIC, EFF et. al, Comments on RFID passports (pdf): http://www.epic.org/privacy/rfid/rfid_passports-0405.pdf EPIC's RFID page: http://epic.org/privacy/rfid/ ========================================================================  USA PATRIOT Act Reauthorization Debates Heat Up ======================================================================== In a surprise move, the House of Representatives voted 238-187 on Wednesday to block the Justice Department and the FBI from using the USA PATRIOT Act to seek library records and bookstore sales slips of terror suspects. Lawmakers were concerned about the potential invasion of privacy of innocent library users. The vote passed even after a veto threat from President Bush. Also this week, the House Committee on the Judiciary held its eleventh oversight hearing on the USA PATRIOT Act on June 8, with Deputy Attorney General James Comey testifying. The questions centered on provisions concerning wiretapping, authority to search homes without prior notification, interception of computer trespasser communications, Internet service providers, and mandatory detention of non-citizen suspected terrorists. Several Members expressed concern about the erosion of civil liberties caused by certain USA PATRIOT Act provisions. Representatives from both parties noted that one option is to extend the law's "sunset" provision, which will nullify certain provisions of the law on December 31, 2005, unless Congress reauthorizes them, rather than permanently enact the sunsetting provisions into law. Another option proposed is to apply a sunset provision to the entire Act, not just the specified sections now under review, so that Congress will scrutinize the law again at a later date. The June 8 hearing continued on June 10. The witnesses included Carlina Tapia-Ruano, First Vice President of the American Immigration Lawyers Association; Dr. James J. Zogby, President of the Arab American Institute; Deborah Pearlstein, Director of the U.S. Law and Security Program; and Chip Pitts, Chair of the Board of Amnesty International USA. The witnesses emphasized that the USA PATRIOT Act should be designed to provide security while protecting individual rights. They called for greater oversight and accountability and less secrecy. Committee Chairman James Sensenbrenner began the hearing by stating that the testimony of the witnesses was "far outside the scope" of the hearing, noting that he believed the testimony did not bear on the sixteen provisions of the USA PATRIOT Act under review. Mr. Sensenbrenner followed the House rules closely, holding Members and witnesses to the five-minute time limit. The Chairman abruptly closed the hearing and walked out while witnesses continued to testify and amidst protests from committee members. Webcast of June 8, 2005, House Judiciary Committee Oversight Hearing on Reauthorization of the USA PATRIOT Act: http://judiciary.house.gov/Oversight.aspx?ID=177 Webcast of June 10, 2005, House Judiciary Committee Oversight Hearing on Reauthorization of the USA PATRIOT Act (continued from June 8): http://judiciary.house.gov/Oversight.aspx?ID=180 EPIC's USA PATRIOT Act Sunset page: http://www.epic.org/privacy/terrorism/usapatriot/sunset.html ========================================================================  Senators, FTC At Odds on Solutions to Curbing Identity Theft ======================================================================== The Senate Commerce Committee held a hearing today concerning the problem of identity theft. All of the senators expressed their belief that action had to be taken to curtail the growing number of data-security breaches. Two common themes emerged from the hearing: the need to create minimum security standards for a company's collection of personal data and to notify individuals of the exposure of their personal information. Sen. Chuck Schumer proposed regulations for data brokers that would require the implementation of both minimum security standards for data and would also allow for FTC authentication of any possible information buyers. Noting the recent CitiFinancial loss of data tapes, he proposed that any data transported in a physical manner should utilize encryption in order to minimize exposure. Sen. Dianne Feinstein said it was necessary for civil penalties to accompany any federal notification statute in order to ensure compliance. William Sorrell, the Vermont Attorney General and President of the National Association of Attorneys General, stated that any action taken by the federal government regarding notification of consumers should serve as a floor and that it not preempt more protective state laws. Mr. Sorrell also testified that federal statutes should not preempt any state efforts to develop "credit freeze" laws. (Credit reports that are "frozen" or sealed can be made available only when the individual "thaws" her file, and specifies to whom, when, or in what contexts the file can be released.) Members of the Federal Trade Commission testified and called on Congress to enact tougher legislation on data brokers and businesses entrusted with sensitive consumer data. FTC commissioners consistently rejected a number of senators' suggestions, such as a national registry of data brokers, the creation of an Office of Identity Theft, and an end to the use of consumers' Social Security numbers by businesses. Commissioner Thomas Leary stated that it was impractical to halt the longtime use of the SNN by businesses. FTC commissioners suggested stronger laws to limit the legitimate use of the SSN as an identifier. Since 2001, EPIC has investigated commercial data aggregators such as Choicepoint, which collect personal information on individuals and sell the data to third parties. In May, EPIC Executive Director Marc Rotenberg testified about identity theft and commercial data brokers before the same Senate committee. EPIC recommended passage of both the Notification of Risk to Personal Data Act, S. 751, and the Comprehensive Identity Theft Prevention Act, S. 768. EPIC also recommended the application of the federal Privacy Act to any information broker that sells personal information to federal agencies. Senate Commerce Committee Hearing on June 16, 2005: http://commerce.senate.gov/hearings/witnesslist.cfm?id=1536 EPIC's Testimony Before the Senate Committee on May 10, 2005 (pdf): http://epic.org/privacy/id_cards/testimony50905.pdf EPIC's Choicepoint page: http://www.epic.org/privacy/choicepoint ========================================================================  News in Brief ======================================================================== FOIA Note #6: Election Agency Proposes Secret Voting Standards Documents obtained by EPIC under the Freedom of Information Act reveal the complete draft standards for voting technology. The standards, which were developed by a technical committee for the Election Assistance Commission, could determine how votes will be tabulated in future elections. Other documents obtained by EPIC reveal vendor attempts to influence the development of the standards. EPIC FOIA Note #6: http://www.epic.org/foia_notes/note6.html Documents Obtained by EPIC Under FOIA: http://www.epic.org/privacy/voting/eac_foia/ EPIC Joins Civil Liberties Brief in Newsletter Subscriber Privacy Case EPIC joined eight civil liberties organizations to submit a "friend of the court" brief in Forensic Advisors, Inc. v. Matrixx Initiatives, Inc., which is currently before the Maryland Court of Special Appeals. In this case, Matrixx, a pharmaceutical company, is attempting to force Timothy Mulligan, a newsletter publisher, to disclose his subscriber list so that Matrixx can use it in connection with a lawsuit it filed against numerous unidentified people who posted derogatory comments about Matrixx on Internet discussion boards. The brief argues in favor of protecting the subscriber list under a Maryland law that protects journalists' sources. It also argues that the subscriber list is protected under the First Amendment, since disclosure of the list would deter readership and violate constitutionally established privacy rights. The brief proposes a five-factor test for determining when a subscriber list should be disclosed, essentially requiring the party demanding the list to prove that the list is essential to vindicate its legal rights, that those rights outweigh the privacy rights of the people on the list, and that it is in the public interest for the list to be disclosed. Amicus Brief Submitted by EPIC, et. al (pdf): http://www.epic.org/free_speech/forensic_amicus.pdf Report Criticizes State of Open Government Under Ashcroft Watching Justice recently released a report concerning open government under former Attorney General John Ashcroft. The report criticizes the Justice Department's relationship with the media and finds that Mr. Ashcroft's narrow interpretation of the federal FOIA made it harder to get information from the government. The report states that the current administration views open government "as a nuisance at best." Reporters and advocates are urged to give more attention to government initiatives and to make more FOIA requests in general. "Open Government in the Ashcroft Era: What Went Wrong, and How to Make it Right": http://www.watchingjustice.org/reports/article.php?docId=663 Survey: Congress Not Meeting Challenge of Data Protection A recent survey shows that many D.C. opinion leaders believe Congress has failed to keep consumer data safe. The survey by iQ Research and Consulting polled more than 400 "senior level professionals" with media, government, public policy or technology jobs in the D.C. area. Greater than 80% of the those surveyed felt that Congress had not done enough to protect Social Security numbers; almost 70% felt that congressional attempts to protect consumer credit reports from unauthorized access were largely unsuccessful. Joint Adobe and RSA Security Press Release About Survey: http://www.rsasecurity.com/press_release.asp?doc_id=5886 EPIC's Choicepoint page: http://www.epic.org/privacy/choicepoint/ Justice Dept. Inspector General Criticizes Terror Screening Center The Department of Justice Inspector General released an audit report this week concluding that the United States' new centralized terror database is missing names that should be in it and contains inaccurate information about other people. The Terrorist Screening Center's database consolidated about a dozen government watch lists, which can be accessed by intelligence officials and local, state, and federal law enforcement agents. "While the TSC had successfully created and deployed a consolidated watch list database, the TSC has not ensured that the information in that database is complete and accurate," the report determined. Furthermore, the report found that some information about publicly known terrorists was missing, and the system has mistakenly identified people as being in the database. In response to the report, the Terrorist Screening Center released a response stating, among other things, that it will not establish an Office of the Ombudsman to take responsibility for redress issues arising from use of the information in the database. Justice Department Inspector General's report: http://www.usdoj.gov/oig/igwhnew1.htm European Parliament and NGOs Oppose Data Retention Scheme The Council of the European Union will continue with a proposal for an EU-wide regime of data retention, despite its rejection by the European Parliament. The proposal, introduced jointly by France, the UK, Ireland and Sweden in April 2004, is intended to ease judicial cooperation in criminal matters relating to the retention of data processed and stored by ISPs and telcos. But the proposal was rejected by the European Parliament after members considered a report that highlights problems with the proposal's scope and legal basis. Last week, a group of European NGOs, including EDRI, Privacy International and Statewatch. wrote to Parliament members urging a rejection of the proposal. The letter stated that data retention is an invasive tool that interferes with the private lives of everyone in Europe, and retaining personal data on everyone is an illegal practice in violation of Article 8 of the European Convention on Human Rights because it is disproportionate, security gained from retention may be illusory, and the means through which this policy is being pursued is illegitimate. Letter from European NGOs to European Parliament: http://www.edri.org/campaigns/dataretention/openletter EPIC's Data Retention page: http://www.epic.org/privacy/intl/data_retention.html Senate Judiciary Committee Approves Measure To Tweak FOIA The Senate Judiciary Committee has approved a measure that states any future legislation establishing exemptions to the Freedom of Information Act be stated clearly within the text of the bill. The measure, sponsored by Sen. John Cornyn, and Sen. Patrick Leahy is a companion bill to broader legislation to overhaul FOIA. The broader bill has not yet been considered by the committee. The bill would make major changes to FOIA for the first time in more than a decade by calling for speedier responses for requests and for providing incentives for federal agencies to answer them. Information about S. 1181: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:s.01181: ========================================================================  EPIC Bookstore: Johnny Long: Google Hacking for Penetration Testers ======================================================================== Johnny Long, Google Hacking for Penetration Testers (Syngress 2005) http://www.powells.com/cgi-bin/biblio?inkey=4-1931836361-0 Johnny Long's "Google Hacking for the Penetration Testers" is an excellent resource on the Google Internet search engine. Anyone who uses Google should read the first two chapters of this book, as it explains the basic and more advanced search techniques available. After chapter two, things get interesting. Long explains how to use Google to access information anonymously, and then dives into discovering site vulnerabilities and personal information on the Internet. It concludes with common-sense approaches to securing your own servers against the search techniques explained earlier in the book. --Chris Jay Hoofnagle ================================ EPIC Publications: "Privacy & Human Rights 2004: An International Survey of Privacy Laws and Developments" (EPIC 2004). Price: $35. http://www.epic.org/bookstore/phr2004 This survey, by EPIC and Privacy International, reviews the state of privacy in more than sixty countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, as well as recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2003: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price: $40. http://www.epic.org/bookstore/pls2003 The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00& EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================  Upcoming Conferences and Events ====================================================================== Sixth Annual Institute on Privacy Law: Data Protection - The Convergence of Privacy & Security. June 20-21, 2005. New York, NY. For more information: http://www.pli.edu/ Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. July 11-15, 2005. Luxembourg City, Luxenbourg. For more information: http://www.icann.org. 3rd International Human.Society@Internet Conference. July 27-29, 2005. Tokyo, Japan. For more information: http://hsi.itrc.net. PEP05: UM05 Workshop on Privacy-Enhanced Personalization. July 2005.
Edinburgh, Scotland. For more information:
http://www.ics.uci.edu/~kobsa/PEP05. Access to Information: Analyzing the State of the Law. Riley
Information Services. September 8, 2005. Ottawa, Ontario. For more
information: http://www.rileyis.com/seminars/ 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/index.cfm. Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of
"Privacy and Human Rights." October 20-21, 2005, Auditorio Alberto
Lleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo de
Estudios en Internet, Comercio Electrónico, Telecomunicaciones e
Informática (GECTI), Law School of the Universidad de los Andes, Bogota,
Colombia, Computer Professional for Social Responsibility-Peru
(CPSR-Perú). For more information: