EPIC logo

                           E P I C  A l e r t
Volume 12.20                                            October 6, 2005

                            Published by the
                Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents

[1] EPIC FOIA Note: Travelers Struggle With Watch List Errors
[2] FCC to Apply Wiretap Law to Broadband, VoIP
[3] US-VISIT's Travel ID Plan Still Has Security, Privacy Risks
[4] EPIC Unveils Page About Theme Parks and Privacy
[5] Congress Demands Limits on "Sensitive Security Information"
[6] News in Brief
[7] EPIC Bookstore: Dan Tynan's "Computer Privacy Annoyances"
[8] Upcoming Conferences and Events

[1] EPIC FOIA Note: Travelers Struggle With Watch List Errors

Documents obtained by EPIC under the Freedom of Information Act show
nearly a hundred complaints from airline passengers about the
government's traveler screening security measures. The most common
complaint from travelers is that they have been wrongly placed on a
government watch list.

The Transportation Security Administration maintains "selectee" and "no
fly" watch lists of individuals suspected of posing a risk to air travel
safety. When a passenger checks in for a flight, he may be labeled a
threat if his name matches an entry on one of the watch lists, even if
he is not the person actually on the list. People who are identified as
watch list matches may experience long screening delays or not be
allowed to board the plane.

EPIC posted the documents on its Web site in recognition of
International Right to Know Day on September 28. On that day in 2002,
freedom of information organizations from around the world established
the Freedom of Information Advocates Network. The coalition, now
composed of more than 90 organizations on four continents, continues to
promote the adoption of freedom of information laws throughout the world
and the recognition of the right to know as a fundamental human right.

EPIC FOIA Note #8:


More EPIC FOIA documents on watch lists:


Freedom of Information Advocates Network:


EPIC International Right to Know Day press release:


[2] FCC to Apply Wiretap Law to Broadband, VoIP

On September 23, the Federal Communications Commission issued an order
and notice of proposed rulemaking stating that the federal wiretap law
applies to broadband Internet service providers and voice over IP (VoIP)
services. The 1994 wiretap law, known as CALEA (the Communications
Assistance for Law Enforcement Act) required telephone companies to
provide easy access for law enforcement agencies to tap customers'

The new FCC order means that broadband service providers and providers
of VoIP services that are capable of connecting to the regular telephone
network ("interconnected VoIP") must also create systems that the
government can wiretap. The FCC reached this conclusion despite the fact
that CALEA originally applied only to "telecommunications carriers" and
excluded "information services"from its scope.

The FCC justified this expansion by citing a previously unused portion
of CALEA that authorized the FCC to apply CALEA to any "wire or
electronic communication switching service," so long as that service "is
a replacement for a substantial portion of the local telephone exchange
service and. . . it is in the public interest to do so."  The FCC cited
to this, saying many use broadband and VoIP services to at least
partially replace traditional telephone use. The FCC also argued that
the exclusion of "information services" from CALEA does not apply
because the agency interprets the definitions of "telecommunications"
and "information services" differently for CALEA than it does for the
Communications Act.

On the same day as the Order was issued, the FCC released a policy
statement that outlined the FCC's belief that "consumers are entitled
to run applications and use services of their choice, subject to the
needs of law enforcement."  This announcement indicates the potential
for wiretap provisions to expand into an even wider variety of
communications methods. The final breadth of this expansion remains to
be seen.

FCC Order and Further Notice of Proposed Rulemaking (pdf):


FCC Policy Statement (pdf):


2003 EPIC Letter to Chairman Michael Powell on VoIP Regulation:


EPIC Wiretap Page:


[3] US-VISIT's Travel ID Plan Still Has Security, Privacy Risks

In comments to the Department of Homeland Security, EPIC again has urged
the agency to abandon a flawed proposal to embed Radio Frequency
Identification tags in the Form I-94 or Form I-94W, which is the
Arrival-Departure record issued to a traveler to the United States. The
plan lacks basic privacy and security safeguards, and these costs
substantially outweigh the limited timesaving benefits, EPIC said.

Under US-VISIT, foreign visitors are subject to biometric collection,
biographic data collection, and watch list checks. The information
collected from individuals includes name, date of birth, country of
citizenship, passport number and country of issuance, complete U.S.
destination address, and digital fingerscans.

The wireless travel ID plan contains a significant risk of unauthorized
access. Although DHS states that the RFID tags will only carry a unique
identification number, which will not contain any personally
identifiable information, the ID numbers are linked to data files, and
are subject to interception. The ID number is the key that permits
access to records in the US-VISIT system.

Another significant security risk is that of clandestine tracking. RFID
is an invisible technology. It allows a person's information to be
accessed without his or her knowledge. Anytime a visitor is carrying his
I-94 RFID-enabled form, his unique identification number, which is
linked to his individual biographic information, could be accessed by
unauthorized individuals. So long as the RFID tag or chip can be read by
unauthorized individuals, foreign visitors could be identified and

EPIC has submitted a series of comments on database proposals undertaken
by DHS regarding the development of the US-VISIT program. Most recently
in August, EPIC urged DHS abandon the RFID plan because the problems
with the proposal are very similar to the problems found in the State
Department's flawed proposal to include RFID tags in U.S. passports. The
State Department is reassessing the plan after receiving a storm of
criticism from civil liberties, security and privacy groups, including

EPIC's recent comments (pdf):


EPIC's Aug. 4, 2005 comments (in html and pdf):







[4] EPIC Unveils Page About Theme Parks and Privacy

EPIC has created an issue page on theme parks and privacy to act as a
single source of information for consumers to learn more about privacy
issues surrounding theme parks. The page provides information on theme
parks' growing use of biometrics and other surveillance technology for
commercial purposes.

For instance, fingerprint scans are now being used to keep track of
visitors who enter and exit theme parks such as Walt Disney World. On
January 2, all current Disney World admission passes began using
fingerprint scans as a means to track customers entering Disney theme
parks. Each park visitor is asked to make the peace sign and then place
the fingers into a fingerprint reader. The digital fingerprint
information is stored and used to match visitors with their park pass.
All individuals who are 10 years of age or older are asked to provide
their fingerprints for scanning. However, children younger than ten have
also been participating in this customer identification program.

Unfortunately, many visitors to the theme parks are not aware of the new
policy. They are not informed that their fingerprint information has
been scanned and retained. Customers were not provided with information
on how long the fingerprint information would be retained, nor whether
the information  collected would be used for other purposes other than
the control of admission to the theme park.

Another theme park profiled on the page is DestiNY USA, which is under
construction in the state of New York. This commercial center and theme
park has been advertised as a place where marketers can study consumers
interacting within a "living laboratory." The park claims that it has
"built in the access and capacity for partner companies to monitor and
continuously improve their products and services as they are being used
by millions of visitors."

The two parks highlighted are not the only theme parks using biometrics
and surveillance technology to monitor visitor access and activity
within parks. As technologies that were once considered inappropriate
for use on the general public become more available, park visitors must
be on guard for additional threats to their privacy.

EPIC's Theme Park Page:


[5] Congress Demands Limits on "Sensitive Security Information"

In a conference report on the 2006 Homeland Security Appropriations Act,
Congress instructed the Department of Homeland Security to create
clearer and more consistent procedures for determining what documents
are to be considered "sensitive security information," or SSI.  While
such documents are unclassified, they are still withheld as being too
sensitive to release publicly.  Among the documents considered SSI are
airport security plans, specifications for screening devices, and
vulnerability studies.  However, in recent years, the category has
expanded to include "security directives" and any "other information"
within an agency's discretion.  For instance, Transportation Security
Administration employees have cited SSI to refuse to tell airline
passengers why they were being searched.

The Congressional report sought to curb the proliferation of SSI in
areas that should be in the public domain.  The report requires each
office within Homeland Security to have a specific official who will
designate documents as SSI. Congress also requires the Secretary of
Homeland Security to give the titles of all SSI documents to Congress in
an annual report.

This July, EPIC won a battle with the Department of Homeland Security
and the Transportation Security Administration over SSI designations. A
federal court found that government agencies cannot withhold information
simply by designating it SSI, without any further description. Though
federal agencies "are not required to describe the withheld portions in
so much detail that it reveals the sensitive security information
itself," the court said they are required to "provide a more adequate
description" to explain why material is not made public. EPIC filed a
Freedom of Information Act suit to force DHS, TSA and the FBI to release
documents detailing the agencies' efforts to obtain airline passenger
information. Though the court found that the FBI had conducted an
adequate search for documents, and TSA and DHS had properly withheld
some material, the court ordered DHS and TSA to provide more detailed
justification for numerous withholdings.

Excerpts from the Conference Report:


Full text of the Conference Report on the 2006 Homeland Security Act:


Opinion in EPIC FOIA Case (pdf):


[6] News in Brief

Spotlight: Registered Traveler Program Creates Private ID System

“Spotlight on Surveillance” turns to the Registered Traveler air
passenger prescreening program run by Verified Identity Pass, Inc.
Travelers pay $80 per year and submit personal data, including Social
Security numbers, fingerprints, and iris scans, to the company for the
privilege of a “fast pass” through airport security. The program may
expand beyond airports to office buildings and stadiums. The system not
only contains significant security and privacy flaws, it also creates
the risk that people may eventually have to pay for an unregulated,
privatized ID card simply to enter an office building.

Spotlight on Surveillance:


EPIC's Passenger Profiling Page:


Recent Poll Shows Widespread Concern for Consumer Privacy

A recent CBS/New York Times poll shows that Americans are increasingly
worried about their personal information being collected and shared by
private companies. 52% think the right to privacy is under serious
threat, and another 30% think it has already been lost. Only 16% think
it is still safe. The poll also reveals that 55% were very concerned
about having personal information stolen, and another 34% were somewhat
concerned.  Financial institutions were seen as the biggest threat to
privacy, with half of the respondents naming banks and credit card
companies as the source of the greatest threat to privacy. The federal
government was the primary privacy threat seen by 14%.  68% of
respondents felt that the federal government should be doing more to
protect their privacy. Respondents were not asked about state or local

EPIC's Public Opinion and Privacy Page:


EPIC Comments on ICANN WHOIS Proposal

EPIC has filed comments with the Internet Corporation for Assigned Names
and Numbers (ICANN) on its new WHOIS policy. Under ICANN's current
policies, those registering domain names must make public their contact
information via WHOIS. But under many local and national laws, this
information is private.  The Task Force now recommends that registrars
be allowed to request exceptions to the ICANN policies if they can show
a conflict with local or national laws. The EPIC comments support this
change but also urging far more comprehensive and effective policies be
explored and implemented.

EPIC's Comments to ICANN:


ICANN WHOIS Task Force Report:




Senate Adds Unrelated DNA Collection to Violence Against Women Act

A measure that would allow the collection of DNA from any person
detained or arrested by law enforcement was attached to the Violence
Against Women Act.  The amendment, unrelated to the Act, would allow law
enforcement to collect DNA even from those not convicted or charged with
any crime.  The DNA would then be added to a federal DNA database.
CODIS currently includes the DNA only of those who have been convicted,
indicted, or charged with crimes.

Text of the bill (DNA Fingerprint Act is under Title X):


California to Track Parolees, Probationers by GPS

California Gov. Arnold Schwarzenegger signed legislation Tuesday that
will allow counties and the state to track people on probation or
parole by attaching global positioning system devices to their
ankles. Each device costs about $9 per day to operate and can be
assigned by probation officers without a judge's order. California
has 115,000 parolees and 250,000 on probation.

California Legislative Information on the bill (SB 619):


Homeland Security's Privacy Officer Steps Down

On September 29th, Nuala O'Connor Kelly stepped down as the Chief
Privacy Officer at the Department of Homeland Security. The position was
created in an attempt to safeguard privacy rights at DHS. Although civil
liberties groups praised Ms. O'Connor Kelly for her work, which included
calling attention to several privacy breaches at DHS, they also noted
that the position of Privacy Officer lacked the independence necessary
to truly protect Americans' privacy. Ms. O'Connor Kelly leaves DHS to
take a position as head of privacy issues at General Electric. Maureen
Cooney, Ms. O'Connor Kelly's former chief of staff, has been named
acting director.

Department of Homeland Security Privacy Office:


[7] EPIC Bookstore: Dan Tynan's "Computer Privacy Annoyances"

Dan Tynan, Computer Privacy Annoyances: How to Avoid the Most
Annoying Invasions of Your Personal and Online Privacy (O'Reilly 2005)


Dan Tynan's Computer Privacy Annoyances gets it right: the book provides
excellent advice on how to protect privacy without turning the reader
into a paranoid.  The book has one of the best "top ten" steps to
protect privacy I've read.  He covers privacy at home, work, and on the
Internets.  He also covers privacy in public, an increasingly important
topic in an age of ubiquitous cameras and nagging offline requests for
personal data at retail stores.  A prescient section of the book
discusses the privacy risks associated with social network software,
systems that many even in the privacy community have adopted.

Oddly enough, O'Reilly (the publisher) stuck a registration card in
Tynan's book.  A careful reader of Tynan's book will learn that such
product registration cards are just marketing tools and should be
dispatched to the recycling bin.

-- Chris Jay Hoofnagle


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This survey, by EPIC and Privacy International, reviews the state of
privacy in more than sixty countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40. http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine
Act, and the Federal Advisory Committee Act.  The 22nd edition fully
updates the manual that lawyers, journalists and researchers have
relied on for more than 25 years.  For those who litigate open
government cases (or need to learn how to litigate them), this is an
essential reference manual.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40. http://www.epic.org/bookstore/pls2004

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and international privacy law, as well
as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

      EPIC Bookstore

      "EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries
of interesting documents obtained from government agencies under the
Freedom of Information Act.

      Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Access & Privacy Workshop 2005: Toolkit For Change. Ontario Ministry of
Government Service’s Access & Privacy Office. October 6- 7, 2005.
Toronto, Ontario. For more information:

State of Play III: Social Revolutions. Berkman Center for Internet and
Society, New York Law School, Yale Law School. October 7-8, 2005. New
York, NY. For more information: http://www.nyls.edu/pages/2396.asp

Eighth World Conference and Exhibition on the Practical Application of
Biometrics. Elsevier. October 19-21, 2005.  Westminster, London, UK.
For more information:

Public Voice Symposium: "Privacy and Data Protection in Latin America -
Analysis and Perspectives."  Launch of the first Spanish version of
"Privacy and Human Rights."  October 20-21, 2005, Auditorio Alberto
Lleras Camargo de la Universidad de los Andes, Bogota, Colombia.
Organizers: Electronic Privacy Information Center (EPIC), Grupo de
Estudios en Internet, Comercio Electrónico, Telecomunicaciones e
Informática (GECTI), Law School of the Universidad de los Andes, Bogota,
Colombia, Computer Professional for Social Responsibility-Peru
(CPSR-Perú). For more information:

Cryptographic Hash Workshop. National Institute of Standards and
Technology, Computer Security Division.  October 31-November 1, 2005.
Gaithersburg, MD.  For more information:

First International Conference on Digital Rights Management: Technology,
Issues, Challenges, and Systems. Telecommunications and Information
Technology Research Institute (University of Wollongong), International
Association for Cryptologic Research, IEEE Task force on Information
Assurance. October 31-November 2, 2005. Sydney, Australia. For more

6th Annual Privacy and Security Workshop. Centre for Innovation Law and
Policy (University of Toronto) and the Center for Applied Cryptographic
Research (University of Waterloo). November 3-4, 2005. University of
Toronto. For more information:

12th ACM Conference on Computer and Communications Security. Association
for Computing Machinery: Special Interest Group on Security, Audit, and
Control. November 7-11, 2005. Alexandria, VA. For more Information:

The World Summit on the Information Society.  Government of Tunisia.
November 16-18, 2005.  Tunis, Tunisia.  For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005.  Vancouver, Canada.  For more
information: http://www.icann.org

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or
write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 12.20 -------------------------