EPIC logo

                               E P I C  A l e r t
Volume 12.22                                          November 4, 2005

                               Published by the
                  Electronic Privacy Information Center (EPIC)
                               Washington, D.C.


Table of Contents

[1] EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records
[2] EPIC Testifies on Registered Traveler
[3] New Passports Still to have RFID
[4] EPIC Documents Show Possible Abuses of Intelligence Powers
[5] EPIC, Others Challenge Internet Wiretap Order
[6] News in Brief
[7] EPIC Bookstore: Renee Marlin-Bennett's "Knowledge Power"
[8] Upcoming Conferences and Events

[1] EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records

On October 26th, EPIC joined with Patient Privacy Rights in an effort to
establish stronger protections in the United States for patients'
medical information.

"2005 is the year that the American public learned that massive security
breaches of personal information have made identity theft the number one
crime in America. We must not allow the most sensitive personal records
that exist, our medical records, to go online without adequate privacy
safeguards," said EPIC Executive Director Marc Rotenberg.

Congress is rushing to pass legislation to establish a national Health
Information Network without patient privacy protections. Yet recent
surveys show that Americans consider the privacy of medical records to
be a major concern. A Harris poll this past February found that 69
percent of adults do not believe strong enough data security will be
installed in the system. An earlier Gallup survey found that 78 percent
of the American public feel it is very important that their medical
records be kept confidential. And the Markle Foundation found that more
than three out of four respondents (79%) supported the right for a
patient to control who can access his health information.

"No one should be able to see or use your medical records without your
permission," said Dr. Deborah Peel, founder and chairman of the Patient
Privacy Rights Foundation. "Americans must have confidence in the
privacy and security of their online medical records."

As part of the effort to protect patients' privacy rights, the two
groups are circulating an online petition calling for strong medical
privacy safeguards.

The petition states simply:

-- I want to decide who can see and use my medical records 

-- I do not want my medical records or those of my family's to be seen
or used by my employer 

-- I should never be forced to give up my right to privacy in order to
get medical treatment.

Patient Privacy Rights is an Austin, Texas-based national consumer
organization devoted to medical privacy.

"I Want My Medical Privacy!" petition:

Patient Privacy Rights site: 

[2] EPIC Testifies on Registered Traveler

On November 3, the House of Representatives' Subcommittee on Economic
Security, Infrastructure Protection, and Cybersecurity held hearings on
the Transportation Security Administration's Registered Traveler
program.  The program allows travelers who submit to intensive
background screening to pass through airport security screening more

EPIC Executive Director Marc Rotenberg testified on the problems with
the proposed program.  He noted the security watchlists that form the
basis for the passenger pre-screening are riddled with inaccuracies that
are often extremely difficult to correct.  Documents released to EPIC
under the Freedom of Information Act revealed that over a hundred
complaints of such errors were made to the Transportation Security
Administration in aperiod of less than a year.

Rotenberg also said that the program lacked the necessary privacy
protections of the Privacy Act of 1974.  This is due to the fact that
Registered Traveler databases are either owned by private companies that
are not regulated by the Act, or the government databases are exempted
from federal laws at the request of the Transportation Security

Finally, Rotenberg cited the risk of "mission creep" within the
Registered Traveler program.  Using Registered Traveler IDs in
situations other than aviation security, as some vendors have suggested,
would lead to travelers being allowed or denied access to any number of
venues based not upon their risk to that venue, but on their supposed
risk to aviation. EPIC recommended that the plan not go forward until
these flaws were fixed.

Also testifying before the Committee was Kip Hawley, Director of the
Transportation Security Administration.  Participants on a second panel
with Rotenberg were Charles Barclay of the American Association of
Airport Executives, Steven Brill of Verified Identity Pass, Larry Zmuda
of Unisys.

Despite these concerns, representatives on the subcommittee were eager
to implement the system and questioned Director Hawley on the program's
slow development.  They also had many questions for the industry members
on the second panel about the role that private businesses would play in
the system. Registered Traveler has been conceived as being run by
private companies, with the Transportation Security Administration
providing the background checks for registered travelers and performing
the screening at airports.  The involvement of both the Administration
and private companies raised privacy concerns with several Subcommittee

Representative Dicks (D-WA) questioned Hawley about accuracy of the
security watchlists.  Using language from Rotenberg's written statement,
Congressman Dicks noted that the lists have demonstrated errors (such as
listing Senators Kennedy and Young for additional screening) and major
obstacles to correcting them (Senator Kennedy had to appeal directly to
then-Homeland Security head Tom Ridge). Hawley said that there was a
redress process, with a special number added to the erroneous files, and
that the process was "very quick."  He did not give additional

As for Privacy Act protections, Brill said that his company would
voluntarily abide by all Privacy Act safeguards, which do not ordinarily
apply to private companies.  Regarding private companies' record with
regard to consumers' privacy, Representative DeFazio (D-OR) had "two
words for that: Choice Point."

Testimony of Witnesses:

TSA's Registered Traveler site:

EPIC's Spotlight on Registered Traveler:

EPIC FOIA Note #8:

[3] New Passports Still to Have RFID

The State Department announced it will move forward with plans to
require new passports to be equipped Radio Frequency Identification
(RFID) chips. The recently issued final rule also attempts to address
deficiencies in a previous proposal, which would have made personal data
contained in the hi-tech passports vulnerable to unauthorized access.

The previous design would have stored information in the remotely
readable passports in unencrypted form. Tests had shown that the
passports' RFID chips could be read from two feet or more, posing a
significant risk of unauthorized access. The program was widely
criticized as unnecessary and insecure by EPIC and other civil liberties
groups. The previous design was also criticized by privacy and security
experts and the travel industry.

The State Department now plans to cover the passport booklet with
metallic shielding that effectively blocks transmission of information
when the booklet is not open. The Department also called for the
implementation of Basic Access Control, a practice in which the data
contained in the RFID chip is stored in encrypted form, and is only
decrypted by RFID readers that optically read and decode a key printed
on the inside of the passport's cover.  This key is also used to encrypt
all communications between the passport and the reader.

The State Department, in conjunction with the National Institute of
Standards and Technology, will also add shielding to the RFID readers in
an attempt to prevent the interception of signals between authorized
readers and passports. The State Department did not, however, provide
any details concerning this effort.

While these proposed changes should mitigate the most significant risks
of skimming and eavesdropping, they invalidate the main justification
that the State Department used to promote the use of RFID technology -
to save time at Customs by distance scanning with no physical contact

Computer Security expert Bruce Schneier has also said that "collision
avoidance ID" in the chip still creates serious privacy risks and should
be fixed. He writes in a recent column for Wired, "the real issue is how
many other problems like this are lurking in the details of its design?
We don't know, and I doubt the State Department knows either. The
only way to vet its design, and to convince us that RFID is necessary,
would be to open it up to public scrutiny.

Final Rule:

EPIC, EFF et al, Comments on RFID passports (pdf):

EPIC's RFID page:

[4] EPIC Documents Show Possible Abuses of Intelligence Powers

Documents obtained by EPIC under the Freedom of Information Act describe
thirteen cases of possible government misconduct in intelligence
investigations.  The documents, written by the FBI's Office of General
Counsel, describe Bureau investigations conducted for months without
proper reporting or oversight, an FBI agent's seizure of financial
records in violation of federal privacy law, and an unidentified
intelligence agency's unlawful physical search.

Most matters discussed in the documents were reported to the
Intelligence Oversight Board, which is tasked with reviewing
intelligence activities.  Under an executive order, inspectors general
and general counsel throughout the intelligence community must inform
the board about "intelligence activities that they have reason to
believe may be unlawful or contrary to Executive order or Presidential
directive."  The board then reports these activities to the President
and Attorney General.

The documents obtained by EPIC raise the troubling possibility that
hundreds of allegations of unlawful investigations are reported from
various agencies to the board each year.  Yet there is no requirement
that Congress is notified of these allegations or how these matters are
ultimately resolved.  In response to the documents, EPIC has written a
letter to the Senate Judiciary Committee highlighting the need for the
Attorney General to report to Congress on potentially unlawful
intelligence investigations.

The documents were released by the Bureau in response to an EPIC open
government request filed in March for information about the FBI's use of
sunsetting provisions of the PATRIOT Act, many of which gave the FBI
expanded investigative powers.  EPIC filed suit in federal court in May
to force the FBI to release the information while Congress is
considering renewal of the sunsetting provisions. Congressional
conferees are expected to meet soon to reconcile the differences between
PATRIOT renewal legislation passed by the House and Senate.

EPIC FOIA documents on possible intelligence abuses (pdf):

EPIC's FOIA request (pdf):

Letter to the Senate Judiciary Committee:


EPIC's PATRIOT Sunset Page:

[5] EPIC, Others Challenge Internet Wiretap Order

EPIC joined a coalition of public interest and business groups on
October 25 in challenging a Federal Communications Commission order
that requires broadband Internet and certain voice-over-Internet
Protocol (VoIP) providers to design their systems to ease government
wiretapping.  The order expands the reach of the 1994 Communications
Assistance for Law Enforcement Act.

The law grew out of concerns that, as telephone networks became more
advanced, law enforcement agencies would have an increasingly difficult
time intercepting and deciphering the communications of suspects under
surveillance.  In 1994, Congress drafted a law that required telephone
companies to provide this assistance to the government.  In passing the
act, Congress removed from its coverage e-mail and “information
services” like America Online and Prodigy.

The Commission's expansion of the law will apply it to broadband
Internet providers and to "interconnected VoIP" providers, whose systems
are capable of interfacing with the traditional telephone network.  The
Commission also claimed that the wiretap law covered VoIP services that
did not connect to regular telephones, but that it would address those
technologies in a later ruling.

The groups contend that the law specifically prohibits the FCC's
expansion of its scope, and that applying it to these other technologies
will lead to privacy and security flaws.  To challenge the Commission's
order, they filed a petition for review, which brings the issue before
the federal Circuit Court of Appeals for the D.C. Circuit.  EPIC is
joined in the challenge by the American Library Association, the
Association of Research Libraries, the Center for Democracy and
Technology, COMPTEL, the Electronic Frontier Foundation, pulver.com, and
Sun Microsystems.

Petition for Review (pdf):

The FCC's order (pdf):
Text of the wiretap law:

EPIC's wiretap page:

[6] News in Brief

Alito Paper on Privacy 

EPIC  has obtained a copy of the final report prepared by Supreme Court
nominee Samuel Alito for a 1972 conference on "The Boundaries of Privacy
in American Society." The paper proposes far-reaching protections for
the right of privacy, and specifically  addresses such topics as the use
of census data, polygraphs, domestic  surveillance, communications
privacy, computer security and encryption, consumer protection, and

Copy of Alito's 1972 report (pdf):

Spotlight: Facial Recognition Systems Don't Picture Privacy

This month, Spotlight focuses on facial recognition systems. The
Department of Homeland Security has spent millions of dollars on these
"smart" cameras that attempt to identify people based on their facial
images. However, several tests show the systems are not reliable. Facial
recognition systems also create significant privacy risks: the cameras
are often hidden and there are no laws to prevent abuse.

EPIC's Spotlight on Surveillance page:

EPIC's Facial Recognition page:

Public Voice Privacy Symposium: Debut of Privacy and Human Rights 2005

Government data protection authorities, academics, and human rights and
privacy groups gathered at the university of the Andes in Bogota,
Colombia on October 20-21 to hold the Public Voice Symposium on Privacy
and Data Protection in Latin America: Analysis and Perspectives.  The
symposium gave experts from Latin America and the United States an
opportunity to analyze and debate the most current public policy issues
and recent developments in privacy in Latin America.  The meeting also
marked the introduction of the first Spanish-language edition of EPIC's
annual Privacy & Human Rights survey.

Symposium website (in English and Spanish): 

Presentations available at:

47 Attorneys General Urge Congress to Protect Data Security
47 Attorneys General urged party leaders in the House and Senate to pass
a strong security breach notification law.  The letter is in response to
a series of bills that have been introduced to address security breaches
and identity theft at the federal level, many of which are substantially
weaker than existing state law.  The Attorneys General argued quick
notification of is necessary because Federal Trade Commission statistics
show that the cost and severity of identity theft are reduced when
victims are informed shortly after their information is misused.

The Attorneys General also called for the ability of consumers to freeze
their credit report.  Freezing a credit report makes it very difficult
for identity thieves to open new accounts in another's name.  The
Attorneys General specified that credit freeze should be low cost for
consumers, free for identity thieves, and easy to "thaw" so that
consumers can take advantage of credit offers.
The Attorneys General letter is online at (pdf):
Putting Identity Theft on Ice: Freezing Credit Reports to Prevent
Lending to Impostors:

ID Thieves Prey on Financial Aid
According to the Wall Street Journal, identity thieves have found a new
target for fraud: the government.  Identity thieves are posing as
students in order to collect federal student financial aid.  One thief
profiled by the Journal assumed 43 identities and stole $316,000 in
federal aid.  The thief committed the crime by purchasing a list of
names of prison inmates, and using their personal information for fraud.
The article is online at:

[7] EPIC Bookstore: Renee Marlin-Bennett's "Knowledge Power;
Intellectual Property, Information & Privacy"


Where are the lines between privacy, intellectual property, and
information flows?

Renee Marlin-Bennett offers perspective on the central question: How do
the ability to own intellectual property and information and the ability
to control how information flows become a source of power? This book
provides a good review of the history of Intellectual Property and the
key changes in information technology that elevated the discussion of
privacy in cyberspace to the forefront of public discourse.

One interesting reminder that the publication offers is that the rules
regarding intellectual property were established in the West and are
quickly being adopted by the developing world.  Intellectual property
rights are dictating the global commercial exchange of goods and
services.  The rules that define property rights are called
"Commodification."  These legal protections are based solely on human
invention and not strict ownership definitions.  The author asserts that
what has followed under the regime of intellectual property is a good
indication of where we are going.

This book reminds readers that computers and more importantly the
Internet have changed the dynamics of personal information flow. Digital
information presents challenges to privacy and information transaction
control.  With the speed and easy of sending personally identifiable
information globally the stakes are high on getting privacy over the
Internet wrong.  Today in appropriate or illegal information
transactions can and do happen.

Renee Marlin-Bennett's book "Knowledge Power; Intellectual Property,
Information & Privacy," should be read by those just learning or well
versed on the topics of intellectual property, information, and privacy.

Lillie Coney


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and international privacy law, as well
as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers and
the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several governments
are gaining new powers to combat the perceived threats of encryption to
law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Contours of Privacy: Normative, Psychological, and Social Perspectives.
Carleton University. November 5-6, 2005. ottowa, Canada. For more

12th ACM Conference on Computer and Commnuications Security. Association
for Computing Machinery: Special Interest Group on Security, Audit, and
Control. November 7-11, 2005. Alexandria, VA. For more Information:

Regulating Identity Theft and Data Breaches. American Bar Association
Section of Administrative Law and Practice. November 17, 2005.
Washington, DC. For more information:

The Federal Bank Regulator's Approach to Data Security. American Bar
Association Section of Administrative Law and Practice. November 17,
2005. Washington, DC. For more information:

The World Summit on the Information Society.  Government of Tunisia.
November 16-18, 2005.  Tunis, Tunisia.  For more information:

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005.  Vancouver, Canada.  For more information:

Fifth International Conference on Data Mining. IEEE Computer Society.
November 27-30, 2005. Houston, TX.  For more information:

First International Conference on Availability, Reliability and
Security. Vienna University of Technology. April 20-22, 2006. Vienna,
Austria. For more inofrmation:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 12.22 -------------------------