EPIC logo

                             E P I C  A l e r t
Volume 12.18                                           September 9, 2005

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


Table of Contents

[1] EPIC Urges Senate to Question Roberts on Privacy Rights
[2] EPIC Calls for Government Watch List Accuracy
[3] Appeals Court: Floridians Eligible for Damages in Privacy Case
[4] EPIC Petitions FCC to Protect Phone Users' Privacy
[5] Report: Government Withholding More Information Than Ever Before
[6] News in Brief
[7] EPIC Bookstore: EPIC's "Privacy Law Sourcebook 2004"
[8] Upcoming Conferences and Events

[1] EPIC Urges Senate to Question Roberts on Privacy Rights

In a letter to the Senate Judiciary committee, members of the EPIC
Advisory Board urged the senators to carefully explore the views of
Judge John G. Roberts, Jr., the nominee for Chief Justice of the Supreme
Court, on the right to privacy. The Senate confirmation hearings for
Judge Roberts begin Monday.

EPIC discussed two issues in the letter: Judge Roberts's views on
unlawful searches and his support for a national ID card. Judge
Roberts's views on unlawful searches are a far cry from those of
retiring Justice Sandra Day O'Connor. The exclusionary rule "was
established to provide a meaningful remedy in those circumstances where
the police obtain evidence in violation of the Constitution. Not only
does the rule help prevent police misconduct, it may also play an
increasingly important role in ensuring the accuracy and reliability of
the databases on which the police rely," EPIC said. In January 1983,
while an attorney for President Reagan, Judge Roberts made clear his
opposition to the rule.

Judge Roberts has also expressed support for national ID cards, even
though such cards have historically been rejected in the United States.
For example, EPIC said, in the legislation to create the Department of
Homeland Security, "members of Congress made clear their opposition to
creation of a national ID card. Section 554 states directly 'Nothing in
this Act shall be construed to authorize the development of a national
identification system in card.'" In an October 1983 White House memo,
Judge Roberts said that privacy concerns were "largely symbolic so far
as a national I.D. card is concerned."

EPIC said, "Although Judge Roberts is a distinguished lawyer and a
brilliant jurist, we believe that he may have a very limited view of
both the Court's role in protecting Constitutional rights and of the
ability of the Congress and the states to defend privacy through
legislation." EPIC concluded that the United States is likely to face
enormous challenges to personal privacy in the years ahead, and "[a]
recognition of the need to uphold Constitutional responsibilities to
counterbalance law enforcement powers is crucial."

In the last several years, EPIC has participated in several cases before
the Supreme Court, including Watchtower Bible v. Village of Stratton. In
that case, EPIC filed an amicus brief in which it supported the rights
of Jehovah's Witnesses against an Ohio ordinance requiring all
individuals going door-to-door to register and identify themselves prior
to expressing their political and religious views. EPIC said that the
ordinance forced individuals to sacrifice their anonymity and chilled
activity protected by the First Amendment. The Court agreed with this
reasoning and invalidated the statute.

According to the EPIC letter sent to the members of the Judiciary
Committee, "this case also demonstrates how privacy interests help
protect other Constitutional values, such as freedom of association and
freedom of expression."

EPIC's Letter to the Senate Judiciary Committee (pdf):


EPIC, Watchtower Bible v. Village Stratton (2002):


Senate Judiciary Committee:


New York Times, Supreme Court in Transition:


Wikipedia, John G. Roberts


[2] EPIC Calls for Government Watch List Accuracy

In comments to the FBI, EPIC has urged the agency not to expand the
Terrorist Screening Center's watch list records system until the Bureau
resolves significant privacy, transparency, and due process issues. 
EPIC's recommendations were made in response to a notice, published by
the FBI on July 28, outlining plans for the creation of a records system
that will encompass the government's consolidated watch list
information, operational support records, and records related to
complaints or inquiries from individuals about erroneous watch list
matches. A second notice published the same day exempted the database,
the Terrorist Screening Records System, from numerous Privacy Act
requirements that ensure that agencies maintain accurate data and give
people rights in their information.

In its comments, EPIC criticized the lack of transparency in the
government's development of the system. EPIC noted that the FBI has
disclosed little information in response to a Freedom of Information Act
request about the watch lists' use within the Secure Flight passenger
prescreening program.

The comments also addressed the FBI's decision to exempt the system from
legal requirements that agencies maintain only accurate, timely,
complete, relevant and necessary information about people. Not only will
the Terrorist Screening Center use data that does not meet these
requirements to screen individuals, but the agency has also failed to
provide meaningful avenues for individuals to access personal
information and correct inaccuracies.  EPIC also said that the system's
broadly drawn "routine uses" of watch list data would only heighten the
system's privacy problems.

EPIC urged that development of the system should be suspended until the
FBI is willing to disclose more information about the system to the
public and address its substantial privacy issues.

EPIC's Comments to the FBI:


EPIC's Secure Flight page:


[3] Appeals Court: Floridians Eligible for Damages in Privacy Case

In an important victory for privacy rights, the 11th Circuit Court of
Appeals has held that individuals suing under the Drivers Privacy
Protection Act can qualify to receive monetary damages even if they did
not suffer financial harm.  The decision places a limit on Doe v. Chao,
a case from the Supreme Court where "liquidated" damages were not
available to plaintiffs suing under the Privacy Act of 1974 unless they
suffered actual harm.  Liquidated damages are important in privacy cases
because victims of business or government use of personal information
often suffer damages that are difficult to quantify, such as mental
distress and simple annoyance from receiving telemarketing and junk
mail.  The court recognized this, holding that:

"Damages for a violation of an individual's privacy are a quintessential
example of damages that are uncertain and possibly unmeasurable.  Since
liquidated damages are an appropriate substitute for the potentially
uncertain and unmeasurable actual damages of a privacy violation, it
follows that proof of actual damages is not necessary for an award of
liquidated damages.  To us, the plain meaning of the statue is clear --
a plaintiff need not prove actual damages to be awarded liquidated

The EPIC brief in the case, Kehoe v. Fidelity Bank, argued that Congress
established liquidated damages for successful plaintiffs in passing the
DPPA.  That law limits use of motor vehicle records to a limited set of
permissible purposes, and requires consent from the individual before
personal information can be used for marketing.  Prior to 1998, the DPPA
had an opt-out standard for marketing use, and when the statute was
strengthened, the Florida legislature failed to update their driver
privacy statute.  Data brokers knew that the federal law had changed
(they had lobbied against it), but they continued to buy millions of
records from the Florida government for a penny each.  Last year,
Florida patched its statute.

EPIC argued that without liquidated damages, unaccountable data brokers
would continue to purchase personal information in violation of the law,
relying on the fact that it is difficult to quantify damages from the
sale.  A brief submitted in the case by data brokers strenuously argued
that access to drivers' information is necessary for law enforcement and
national security purposes.  Especially because, after the September 11,
2001 terrorist attacks, data brokers have used anti-fraud and security
justifications as cover for their marketing activities.

The 11th Circuit's decision makes it economically viable for plaintiffs'
attorneys to remedy systematic violations of drivers' privacy in
Florida.  The Kehoe attorneys are currently litigating a similar claim
in Fresco v. Automotive Directions et al, a case where 13 companies are
alleged to have bought drivers' records for marketing purposes.  Also,
last Friday, the Kehoe attorneys filed a class action suit against Bank
of America for purchasing several thousand records of drivers who owned
high-end automobiles in Palm Beach County, presumably for marketing

EPIC's Amicus Brief in Kehoe v. Fidelity:


EPIC's Drivers Privacy Protection Act page:


[4] EPIC Petitions FCC to Protect Phone Users' Privacy

EPIC has petitioned the Federal Communications Commission to initiate a
rulemaking to enhance security protections for individuals' phone
records and renewed a call at the Federal Trade Commission for an
investigation of online data brokers for selling personal information

At issue is customer proprietary network information (CPNI).  CPNI
includes calling history and activity, billing records, and unlisted
telephone numbers of service subscribers.  CPNI can only be released in
limited circumstances, but online data brokers and private investigators
widely advertise online that they can procure this information without
informing the account holder.  It is believed that the information is
obtained principally through "pretexting," the practice of accessing
personal information by pretending to be the account holder.  Because
data brokers and private investigators have access to Social Security
numbers and other biographical identifiers used to verify individuals'
identity, they can easily pose as another person in order to
fraudulently obtain records.

EPIC's petition seeks to mandate heightened security standards,
including encryption of records, requiring audit logs to track who
accesses account information and why, and limits on the amount of time
that data is retained by the carrier.  Most importantly, EPIC urged the
agency to reduce carriers' reliance on biographical identifiers, like
Social Security numbers and dates of birth, to safeguard accounts. 
Customers' accounts would be better protected through passwords chosen
at service activation.

The petition is the latest step in a campaign to stop the illegal sale
of personal information by online data brokers and private
investigators.  In July, EPIC urged the Federal Trade Commission to
investigate the entire industry, because many Web sites offer to sell
protected personal information to anyone.  In update to the July
submission, EPIC provided a list of 40 different Web sites that offer to
sell protected phone records and evidence that identity thieves use
online data brokers.

Until the agencies take action, individuals can protect their privacy by
calling their landline and wireless telephone carriers to opt out of
CPNI sharing, and to place passwords on their accounts.  Placing
passwords on the accounts should shield CPNI from improper disclosure.

EPIC's FCC Petition on CPNI:


EPIC's Letter to the FTC:

[5] Report: Government Withholding More Information Than Ever Before

The recent "Secrecy Report Card 2005" by OpenTheGovernment.org shows
that government secrecy is growing considerably. This report comes at a
time when government is being criticized for failures to protect
individual privacy rights. In July, the Government Accountability Office
reported to Congress that the Transportation Security Administration
violated the Privacy Act when it obtained personal information about
airline passengers from commercial data brokers during the test phase of
the Secure Flight passenger prescreening program.

The secrecy report found that federal agencies spent a record $148
creating and storing new secrets for each $1 spent declassifying old
secrets in 2004. The government classified 15.6 million documents "top
secret," "secret" or "confidential." This tops the 14.2 million
documents classified in 2003, and is almost double the 8.6 documents
classified in 2001. While the number of classified documents has
increased, the number of declassified documents has steadily decreased
for a fourth straight year. In 2004, 28.4 million documents were
declassified, far below the 100 million that were declassified in 2001,
the report said.

The report also found that Freedom of Information Act (FOIA) requests
were at an all-time high last year, with more than 4 million requests
made. However, there were 14 federal agencies reporting no backlog in
such requests, double the number in 2003. The government is often
criticized for its reluctance to release documents to the public.

EPIC's Open Government Project files FOIA requests to ensure government
accountability and transparency. In a FOIA case brought by EPIC against
three federal agencies, a federal court held in July that the
Transportation Security Agency and Department of Homeland Security may
not withhold a document sought by the public simply by saying it
contains "sensitive security information." Though federal agencies "are
not required to describe the withheld portions in so much detail that it
reveals the sensitive security information itself," the court said they
are required to "provide a more adequate description" to explain why
material is not made public.

OpenTheGovernment.com Secrecy Report Card 2005 (pdf):


EPIC v. Department of Homeland Security, et al:


EPIC's Open Government Project:


[6] News in Brief

Spotlight: Database Tracks Every Move of Foreign Students, Visitors

EPIC's September "Spotlight on Surveillance" scrutinizes the Student and
Exchange Visitor Information System (SEVIS), a Homeland Security
program. SEVIS is also a part of the US-VISIT program, which has been
criticized as flawed. Through SEVIS, the federal government is
accumulating a massive amount of data on foreign students and exchange
visitors, such as biographical information of the student or exchange
visitor and their dependents (name, place and date of birth, spouse and
children's data); academic information (status, date of study
commencement, degree program, field of study, institutional disciplinary
action); and employment information (employer name and address,
employment beginning and end dates). The stated goals of SEVIS are
related to immigration and education; however, the database is also
available to other federal, local, state, tribal and foreign agencies,
as well as immigration and education agencies. SEVIS represents a
massive surveillance system that monitors and tracks students and
exchange visitors at all times.

September Spotlight on Surveillance:


EPIC's US-VISIT page: 


Report: Agencies' Privacy Protections Lacking in Data Mining Projects

A recent Government Accountability Office report found that federal
agencies are failing to adequately protect privacy rights when using
data mining or knowledge discovery tools to find patterns and
associations in massive amounts of information. The report said that
although most agencies are notifying the public that they are using
personal information, few are notifying people about the intended uses
of that information. A previous government program that sifted though
troves of personal information, the Total Information Awareness project,
was shut down amidst privacy and security criticism.

Government Accountability Office report (pdf):


EPIC's Total Information Awareness page:


Get Your Free Credit Reports, and Correct and Monitor Them

New regulations have taken effect that entitle all Americans to a free
copy of their credit report from all three of the big consumer reporting
agencies.  Free credit reports can be obtained by visiting
annualcreditreport.com or by calling 1-877-322-8228. After obtaining a
credit report, it should be carefully checked for errors, any errors
should be disputed, and any documentation generated in the process
should be kept.  A person can avoid signing up for expensive
credit-monitoring services by self-monitoring. By ordering one of the
three reports every four months, important developments in credit
records can be monitored at no cost.

Free reports are available online at:


EPIC's Fair Credit Reporting Act page:


California RFID Bill Is Resurrected 

A California State Senator has resurrected legislation that was shelved
after an intense anti-privacy lobbying effort. The bill SB 682, was held
by the Assembly Appropriations Committee, effectively ending its chances
of passage this year.  But Sen. Joe Simitian (San Mateo) worked with the
Assembly leadership to "gut and amend" another bill and revive the
effort to place limits on government use of Radio Frequency
Identification (RFID technology) to identify and track Californians. The
legislation, now designated SB 768, the Identity Information Protection
Act of 2005, would establish security standards for RFID or other
"contactless" identity cards, and criminalize the remote, unauthorized
reading of personal information.

California's SB 768:


EPIC's RFID page:


JetBlue, Sun Country Install Surveillance Cameras on Planes

JetBlue and Sun Country airlines have installed surveillance cameras
that allow pilots to monitor passengers in an effort to avert a
hijacking. Nearly a dozen airlines received federal grants to test the
systems for future use. The systems are not mandated by the Federal
Aviation Administration. Critics caution that guidelines are needed to
ensure surveillance cameras aboard aircraft do not violate a passenger's
privacy rights. In recent years, there has been considerable growth in
the use of camera surveillance systems.

EPIC's May Spotlight on Surveillance about Camera Systems:


Observing Surveillance Web site:


[7] EPIC Bookstore: EPIC's "Privacy Law Sourcebook 2004"

Marc Rotenberg, ed., The Privacy Law Sourcebook 2004: United States Law,
International Law, and Recent Developments (EPIC, 2005)


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine
Act, and the Federal Advisory Committee Act.  The 22nd edition fully
updates the manual that lawyers, journalists and researchers have
relied on for more than 25 years.  For those who litigate open
government cases (or need to learn how to litigate them), this is an
essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40. http://www.epic.org/bookstore/pls2004

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and international privacy law, as well
as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act.

      Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

NGO Pre-Event to the Data Protection Commissioners Conference 2005:
Strategies for International Privacy Protection - Issues, Actors, and
Future cooperation. September 13, 2005. Montreux, Switzerland. For more
information: http://www.edri.org/panels

Canada-Australia Comparative IP & Cyberlaw Conference. University of
Ottawa. September 30 and October 1, 2005. Ottawa, Ontario. For more
http://web5.uottawa.ca/techlaw/symposium.php?idnt=107&v=&c=&b= Access to Information: Analyzing the State of the Law. Riley Information Services. September 8, 2005. Ottawa, Ontario. For more information: http://www.rileyis.com/seminars/ 5th Annual Future of Music Policy Summit. Future of Music Coalition. September 11-13, 2005. Washington DC. For more information: http://www.futureofmusic.org/events/summit05 Conference On Passenger Facilitation & Immigration: Newest trends in achieving a seamless experience in air travel International Air Transport Association (IATA) and Singapore Aviation Academy (SAA) October 3-5, 2005 Singapore Aviation Academy. For more information: http://www.saa.com.sg/conf_pax_fac Access & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry of Government Service’s Access & Privacy Office. October 6- 7, 2005. Toronto, Ontario. For more information: http://www.governmentevents.ca/apw2005/ Public Voice Symposium: "Privacy and Data Protection in Latin America - Analysis and Perspectives." Launch of the first Spanish version of "Privacy and Human Rights." October 20-21, 2005, Auditorio Alberto Lleras Camargo de la Universidad de los Andes, Bogota, Colombia. Organizers: Electronic Privacy Information Center (EPIC), Grupo de Estudios en Internet, Comercio Electrónico, Telecomunicaciones e Informática (GECTI), Law School of the Universidad de los Andes, Bogota, Colombia, Computer Professional for Social Responsibility-Peru (CPSR-Perú). For more information: http://www.thepublicvoice.org/events/bogota05/default.html. 6th Annual Privacy and Security Workshop. Centre for Innovation Law and Policy (University of Toronto) and the Center for Applied Cryptographic Research (University of Waterloo). November 3-4, 2005. University of Toronto. For more information: http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/announcement.html The World Summit on the Information Society. Government of Tunisia. November 16-18, 2005. Tunis, Tunisia. For more information: http://www.itu.int/wsis Internet Corporation For Assigned Names and Numbers (ICANN) Meeting. November 30-December 4, 2005. Vancouver, Canada. For more information: http://www.icann.org ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 12.18 ------------------------- .