EPIC logo

                             E P I C  A l e r t
Volume 12.15                                               July 28, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] Court Rejects Agencies' "Sensitive Security" Claim in EPIC FOIA Case
[2] EPIC Testifies on Draft House Data Security Bill
[3] Local, State, National Organizations Battle REAL ID Implementation
[4] Accountability Office Finds Security Agency Broke Privacy Law
[5] After U.K. Attacks, Pressure Rises for More Surveillance in U.S.
[6] News in Brief
[7] EPIC Bookstore: Nat Hentoff's "War on the Bill of Rights"
[8] Upcoming Conferences and Events

[1] Court Rejects Agencies' "Sensitive Security" Claim in EPIC FOIA Case

In a Freedom of Information Act case brought by EPIC against three
federal agencies, a federal court has held that the Transportation
Security Agency and Department of Homeland Security may not withhold a
document sought by the public simply by saying it contains "sensitive
security information." Though federal agencies "are not required to
describe the withheld portions in so much detail that it reveals the
sensitive security information itself," the court said they are required
to "provide a more adequate description" to explain why material is not
made public.

The determination came in a Freedom of Information Act suit EPIC filed
last year to force DHS, TSA and the FBI to release documents detailing
the agencies' efforts to obtain passenger information from commercial
airlines. The suit challenged the adequacy of the FBI's search for
documents in response to EPIC's FOIA request.  EPIC also argued that DHS
and TSA improperly withheld requested records on grounds of protecting
sensitive security information, personal privacy, and the agencies'
internal deliberative processes.

The District Court for the District of Columbia determined that the FBI
had conducted an adequate search for documents, and that DHS and TSA
properly did not release some information under the FOIA. However, the
court found that the agencies did not provide enough justification for
numerous withholdings.

In addition to its finding on "sensitive security information," the
court determined that DHS and TSA did not sufficiently explain the
withholding of more than twenty documents as "deliberative."  The court
also determined that while agency employees have a privacy interest in
their identities, the agencies did not provide enough information for
the court to decide whether business and agency identifiers and domain
names were properly redacted to protect personal privacy.  The court has
ordered DHS and TSA to provide more detailed justification for these

The opinion:


For more information about the case:


[2] EPIC Testifies on Draft House Data Security Bill

In testimony today before the House Commerce Subcommittee on Consumer
Protection, EPIC West Coast Director Chris Hoofnagle urged Congress to
pass strong data security legislation that includes privacy protections
for use of personal information. The hearing concerned bipartisan draft
legislation sparked by a series of major data security breaches.

The legislation would direct the Federal Trade Commission to develop
security standards applicable to all companies that possess Social
Security numbers, driver's license numbers, or financial account
numbers. Holders of these categories of personal information would have
to give notice to their customers whenever a security breach occurred
that created a "reasonable basis to conclude" that the breach "may
result in identity theft." Additionally, companies would have to create
a security policy, identify an employee responsible for information
security, and employ preventative and corrective measures to address
security vulnerabilities.

Heightened responsibilities would be placed upon information brokers,
such as Lexis-Nexis and Acxiom. Such companies would have to provide
individuals with their personal information dossier at no cost, and be
audited regularly by the FTC. The legislation would broadly preempt
stronger state law and limit enforcement of violations to the FTC.

EPIC's testimony focused on including privacy protections to complement
the data security requirements. EPIC argued that the legislation should
include the option for a "credit freeze," which enables individuals to
block almost all dissemination of their credit reports. EPIC also
recommended that companies be required to use audit logs to deter
insiders from accessing and disclosing personal information without

Data Security: The Discussion Draft of Data Protection Legislation


EPIC Testimony:


EPIC's Choicepoint page:


[3] Local, State, National Organizations Battle REAL ID Implementation

More than seventy individuals from local, state and national
organizations gathered in Washington, D.C. on Wednesday for the National
Driver's License Strategy Meeting convened by the American Civil
Liberties Union, Electronic Privacy Information Center, National Asian
Pacific American Legal Consortium, National Immigration Law Center, and
National Council of La Raza. The privacy, civil liberties, and immigrant
rights' groups discussed strategies to fight the implementation of the
REAL ID Act, a national ID program passed in May, which mandates federal
identification standards and requires that state DMVs collect sensitive
personal information.

Panels at the meeting discussed the national ID system's privacy and
security risks; local, state and national strategies to oppose the
implementation of the national ID system; and possible impacts upon
different communities, including immigrant, minority, religious and
gay/lesbian/bisexual/transgendered, Groups represented included the
Electronic Frontier Foundation, National Governors Association, Center
for New Community and National Employment Law Project.

Under the REAL ID Act, state DMVs will have to verify identification
documents and the legal status of immigrants. States are mandated to
link their databases so that all information collected about individuals
by each DMV can be accessed. The panels highlighted the grave privacy
and security risks inherent in the creation of a tempting target for
criminals at a time of rampant data security breaches and attacks upon
DMVs by identity thieves.

Rep. James Sensenbrenner, the act's sponsor, has estimated that enacting
REAL ID would cost $100 million. However, Pennsylvania has estimated
that it would cost more than $100 million for the state alone to
implement the national ID program. Congress has not yet stated where the
money to create the national ID system would come from. Panelist Nolan
Jones, from the National Governors Association, estimated that REAL ID
would cost $750 million over the next five years, and said that if the
cost were passed onto the public, then licenses would cost about $100 to
$125 each.

National Driver's License Strategy Meeting:


EPIC's National ID Cards and REAL ID Act page:


EPIC National ID Conference


Text of H.R. 418, the Real ID Act:


[4] Accountability Office Finds Security Agency Broke Privacy Law

In a letter to Congress, the Government Accountability Office concluded
that the Transportation Security Administration violated the Privacy Act
when it obtained personal information about airline passengers from
commercial data brokers during the test phase of the Secure Flight
passenger prescreening program.  According to the letter, "the agency
did not provide appropriate disclosure about its collection, use and
storage of personal information as required by the Privacy Act," and
"the public did not receive the full protections" of the law.

Violations of the Privacy Act of 1974, a federal law requiring
government agencies to meet certain obligations when creating and
maintaining systems of records, are civilly and criminally punishable.
The Department of Homeland Security Privacy Office is also investigating
whether the agency violated the Privacy Act during the test phase of
Secure Flight.

In fall 2004, TSA published a privacy impact assessment and three
notices describing the Secure Flight program, and also ordered 72
commercial airlines to turn over passenger records from June 2004 to
test Secure Flight. The agency assured the public repeatedly it would
not have access to or store data from commercial data aggregators during
the test phase.

However, according to a notice and privacy impact assessment published
in the Federal Register on June 22, TSA obtained passenger name records
enhanced with commercial data during the testing of Secure Flight. The
commercial data, which was obtained by contractor EagleForce Associates
from commercial data brokers, included such information as name, home
address, phone number, date of birth, and gender. EagleForce then
provided the enhanced passenger records to TSA on CD-ROMs for use in
watch list match testing. TSA continues to store this data. In a series
of comments to the Department of Homeland Security, EPIC has repeatedly
urged that the agency follow Privacy Act requirements when it gathers
personal information on travelers.

In a letter to Homeland Security Secretary Michael Chertoff in response
to the GAO's findings, Senators Susan Collins and Joe Lieberman stated
that "careless missteps such as this jeopardize the public trust and
DHS' ability to deploy" Secure Flight.

The GAO letter to Congress:


TSA Nov. 15, 2004 Notice of Final Order:


TSA June 22, 2005 System of Records Notice:


Letter from Sens. Lieberman and Collins to Secretary Chertoff:


EPIC's Secure Flight Page:


[5] After U.K. Attacks, Pressure Rises for More Surveillance in U.S.

A news series of bombings in London have increased pressure in the U.S.
for more surveillance programs. There have been calls to significantly
expand video surveillance systems and police have begun randomly
searching subway, bus, ferry and railway riders in New York City and its
New Jersey suburbs. Washington, D.C., is considering random searches of
its mass transit riders, and is observing New York's tactics.

New York Sen. Hillary Clinton called for subway officials to install
more cameras, even though New York officials said about 5,000 cameras
are already in use throughout the city's travel system. Department of
Homeland Security officials recently announced they would spend almost
$10 million to install hundreds of surveillance cameras and sensors on a
rail line near the Capitol.

London has 200,000 cameras, and more than 4 million cameras have been
deployed throughout the country. The average Briton is seen by 300
cameras per day, according to estimates. Despite the extensive
surveillance system, the recent bombings were not prevented. A recent
EPIC Spotlight on Surveillance highlighted the ineffectiveness of such
camera surveillance systems, and found the systems' minimal security
benefit is not worth the significant risks to privacy. Studies have
found that such camera networks have little effect on crime, and that it
is more effective to place more officers on the streets and improve
lighting in high-crime areas.

In 2002, EPIC launched the Observing Surveillance project. The project
includes a map of camera locations in areas of downtown Washington,
D.C., which indicates both the locations of surveillance cameras
installed by the D.C. Metropolitan Police Department and the projected
surveillance radius of those cameras.

New York City and New Jersey police have begun conducting random
searches of packages and backpacks carried by more than 5 million daily
mass transit passengers. These searches have prompted questions about
racial and ethnical profiling, and about the legality of the searches,
conducted on people who are not suspected of any criminal wrongdoing.

EPIC May Spotlight on Surveillance About Camera Systems:


Observing Surveillance Web Site:


[6] News in Brief

EDRI Launches Petition Against Data Retention

European Digital Rights and Dutch ISPs XS4ALL and Bit have launched an
international petition against mandatory data retention. EDRI argues
that retention of telecommunication traffic data is an invasive tool
that interferes with privacy rights and data retention is illegal under
Article 8 of the European Convention on Human Rights. EDRI also argues
that security gained from retention may be illusory, as traffic data may
easily point to another user, and the means through which this policy is
being pursued are illegitimate.

EDRI and ISP petition against data retention (in English and French):


EPIC's International Data Retention page:


New EPIC Page Describes 'Flash Cookies'

Internet cookies used to be a treat for marketers looking for ways to
measure advertising response, but that has changed. A recent study by
international research advisory organization JupiterResearch has found
that nearly 60 percent of American Internet users have deleted cookies
from their computers in order to avoid being tracked online. One company
has proposed to track users through a feature in Macromedia Flash
software. "Flash cookies" make it possible for Web sites to track users,
even if they delete their normal cookies. EPIC's new Flash Cookies page
describes what they are, and how to prevent being tracked by them.

EPIC's Flash Cookies page:


JupiterResearch press release about its study:


Justice Department Launches Online National Sex Offender Database

The Department of Justice has posted a nationwide sex offender Web site,
which provides public access to sex offender information from 21 states
and the District of Columbia searchable by name, ZIP code, county, city,
state, or nationwide.  According to the site, the database will provide
"one-stop access" to registries from all 50 states by the end of the
year.  Each state posts different information about sex offenders, but
profiles can include detailed personal data such as the individual's
name, date of birth, residential address, work address, age, weight,
height, hair color, eye color, race, gender, identifying marks, one or
more photographs, offense, conviction information, known aliases, and
age of victim. In an amicus brief to the Supreme Court, EPIC argued in
2002 that "Megan's law statutes which permit registry dissemination on
the Internet are excessively invasive of the privacy of released

Department of Justice National Sex Offender Public Registry:


EPIC Amicus Brief, Smith v. Doe (US 2003) (pdf):


Smith v. Doe (US 2003)


EPIC Publishes Memo on Recruiting Database, Privacy Act Violations

EPIC has released a memorandum describing the Department of Defense
recruiting database. The memorandum discusses the sources of the data
and the Privacy Act violations in the creation of the database. Of
particular concern is the use of commercial data brokers and Social
Security numbers. Pending resolution of these issues, EPIC urges the
department to immediately suspend the use of the database.

EPIC memorandum (pdf):


EPIC's DOD Recruiting Database page:


Deadline Approaches to Comment on Telemarketing Laws

According to DMNews, a publication focusing on direct marketing, 8,100
people have filed comments with the Federal Communications Commission in
opposition to petitions filed by telemarketers that would weaken
protections against telemarketing. The petitions seek to preempt, or
supercede state laws that are stronger than federal law. These state
laws prohibit telemarketers from making "pre-recorded voice" calls, or
from exploiting a "business relationship" loophole that allows calls to
those on the Do-Not-Call Registry. EPIC is urging consumers to comment
in support of state anti-telemarketing laws until the deadline for
public participation, Friday July 29, 2005.

EPIC's Telemarketing Preemption page:


FCC Comment Filing System page:


Two Canadian Law Firms Rebuked for Privacy Breaches

The Office of the Information and Privacy Commissioner of Alberta,
Canada, recently rebuked two Canadian law firms for publishing personal
employee information on a public Web site. Stikeman Elliott LLP of
Toronto and Montreal and Shtabsky & Tussman LLP of Edmonton violated
Alberta's Personal Information Protection Act by disclosing home
addresses and social insurance numbers in connection with a corporate
buyout. The office recommended that both law firms conduct comprehensive
privacy training and education programs with its lawyers and staff.

Alberta Privacy Commissioner report (pdf):


EPIC Opposes Council of Europe Convention on Cybercrime

In a statement to the Committee on Foreign Relations, EPIC has urged the
United  States Senate to oppose ratification of the Council of Europe
Convention on Cybercrime. EPIC cited the sweeping expansion of law
enforcement authority, the lack of legal safeguards, and the impact on
US Constitutional rights.

EPIC statement (pdf):


EPIC's Cybercrime Convention page:


Build-A-Bear Workshops Build a Marketing Database on Kids

Build-A-Bear Workshops are where kids construct and customize their own
teddy bears, and even create a birth certificate for them. The company
also gathers personal information on its young customers. When kids
access computers to make bear birth certificates, they are asked to
submit their name, birth date, gender, home address and an e-mail
address. Children are required to opt-out of receiving unsolicited
offers by unchecking boxes authorizing Build-A- Bear to contact kids
with special offers and promotions.

EPIC's Privacy and Consumer Profiling page:


[7] EPIC Bookstore: Nat Hentoff's "War on the Bill of Rights"

Nat Hentoff, War on the Bill of Rights And the Gathering Resistance
(Seven Stories Press, 2003)


"The Constitution, said Supreme Court Justice Antonin Scalia ominously
in March, 2003, just sets minimums. Most of the rights that you enjoy go
way beyond what the Constitution requires. In The War on the Bill of
Rights-and the Gathering Resistance, nationally syndicated columnist and
Village Voice mainstay Nat Hentoff draws on untapped sources-from
reporters, resisters, and civil liberties law professors across the
country to administration insiders-to piece together the true dimensions
of the current assault on the Constitution and the Bill of Rights. The
first draft of the USA PATRIOT Act to go to Congress included the
suspension of habeas corpus. The proposed sequel (PATRIOT Act II) would
make it possible to revoke U.S. citizenship, and, for the first time in
history, authorize secret arrests. Both Patriot Acts increase electronic
surveillance of Americans, with minimal judicial supervision. Hentoff
refocuses attention on domestic surveillance initiatives established by
unilateral executive actions, such as Operation TIPS and the Total
Information Awareness System, both still quietly functioning. Hentoff
chronicles the inevitable rise of citizen's groups against these gross
infringements, comparing today's Bill of Rights Defense Committees to
Samuel Adams's Sons of Liberty, whose campaign against the British
helped to precipitate the American Revolution. Afforded little coverage
in the major media, the Bill of Rights Defense Committees now have
spread to nearly one hundred cities and towns nationwide. Hentoff quotes
Lance Morrow, who wrote, If Americans win a war (not just against Saddam
Hussein but the longer-term struggle) and lose the Constitution, they
will have losteverything."


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $35.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 22nd
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.


"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&
EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore

     "EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act.

     Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Access to Information: Analyzing the State of the Law.  Riley
Information Services. September 8, 2005. Ottawa, Ontario. For more
information: http://www.rileyis.com/seminars/ 5th Annual Future of Music Policy Summit. Future of Music Coalition.
September 11-13, 2005. Washington DC. For more information:
http://www.futureofmusic.org/events/summit05/ Conference On Passenger Facilitation & Immigration: Newest trends in achieving a seamless experience in air travel International Air Transport Association (IATA) and Singapore Aviation Academy (SAA) October 3-5, 2005 Singapore Aviation Academy. For more information: http://www.saa.com.sg/conf_pax_fac/ Access & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry of Government Service's Access & Privacy Office. October 6- 7, 2005. Toronto, Ontario. For more information: http://www.governmentevents.ca/apw2005/ Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives." Launch of the first Spanish version of
"Privacy and Human Rights." October 20-21, 2005, Auditorio Alberto
Lleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo de
Estudios en Internet, Comercio Electrónico, Telecomunicaciones e
Informática (GECTI), Law School of the Universidad de los Andes, Bogota,
Colombia, Computer Professional for Social Responsibility-Peru
(CPSR-Perú). For more information:
http://www.thepublicvoice.org/events/bogota05/ 6th Annual Privacy and Security Workshop. Centre for Innovation Law and Policy (University of Toronto) and the Center for Applied Cryptographic Research (University of Waterloo). November 3-4, 2005. University of Toronto. For more information: http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/announcement.html The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis/ Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org/ ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 12.15 ---------------------- .