EPIC logo

                           E P I C  A l e r t
Volume 12.24                                           December 01, 2005

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] EPIC Supports State Credit Freeze Laws
[2] Government Agency Seeks New Power to Track Travelers
[3] Denver Bus Rider Arrested for not Showing ID
[4] Canada's Privacy Officer Calls for "Drastic Action" on Phone Records
[5] EU Parliament Enacts Data Retention Limits
[6] News in Brief
[7] EPIC Bookstore: "The Glass Consumer"
[8] Upcoming Conferences and Events

[1] EPIC Supports State Credit Freeze Laws
In comments to the New York State Legislature and the Maryland Attorney
General, EPIC argued that individuals need more control over their
credit reports in order to curb the incidence and severity of identity
theft. The comments were in response to requests from both New York and
Maryland government officials who are exploring "credit freeze" laws,
legislation that gives individuals the ability to prevent the
dissemination of their credit report to new creditors. If credit
grantors cannot access an individual's report, the creditor will not
issue a new account. Therefore, by allowing consumers to have more
control and freeze their reports, they can stop identity theft.

A consumer-friendly credit freeze law would allow any individual--even
someone not victimized by identity theft--to freeze his or her credit
report. Furthermore, individuals should be able to quickly "thaw" their
files online or by calling a toll-free number when they need to apply
for credit or a job.

The EPIC comments highlight how individuals need control over their
credit reports because the financial services industry continues to use
lax practices in granting credit. For instance, despite the promise that
consolidation of banks and greater information sharing would reduce
identity theft, banks are sending out a record number of "pre-screened"
credit offers in 2005. Over 5 billion of these offers will be sent in
the mail this year, and criminals can easily search mailboxes to obtain
the offers and use them to steal others' identities.

The comments also focus attention on instant credit. A number of
commentators have remarked in recent months that instant credit granting
makes identity theft "easy." The competition to issue new instant credit
accounts is such that creditors are opening accounts to toddlers and
dogs. In a series of identity theft cases documented in EPIC's comments,
identity thieves were able to obtain new accounts despite the fact that
they left clearly inaccurate information on the credit application. In
one case, creditors issued new accounts four times to an impostor who
used the wrong first name, birth date, and address of the victim.
Without the ability to freeze one's credit report, there is no way for
an individual to avoid these practices.

Finally, EPIC warned New York and Maryland authorities that the
financial services industry has begun to "blame the victim" for identity
theft. By engaging in a selective reading of identity theft statistics,
financial services companies have argued that in a majority of the
cases, roommates, family members, and others close to the victim
committed the crime. However, only about half of identity theft victims
even know how their identity was stolen. Only about a quarter of victims
know the actual identity of the thief, and in those cases, about a third
of the time the impostor was a family member. But the financial services
industry wants to blame the victim in order to maintain the status quo
and shift the focus from away from its own practices.

EPIC Comments on Maryland Credit Freeze Laws:


EPIC Comments on New York State Credit Freeze Laws:


EPIC Identity Theft Page:


[2] Government Agency Seeks New Power to Track Travelers

The Centers for Disease Control and Prevention has proposed a rule that
would greatly expand the powers of the federal government to track and
quarantine individual travelers. The federal government, airline and
shipping industries would scrutinize travelers more closely.

The new rule, estimated to cost up to $865 million a year, would require
airline and shipping industries to gather passenger contact and health
information, maintain it electronically for at least 60 days, and
release it to the CDC within 12 hours of a request. The CDC would retain
the information for a year. The information gathered would include:
"permanent address, email address, passport information, traveling
companions or group, emergency contact information (including at  least
name of an alternate person or business and a phone number), phone
number(s) for  the passenger, itinerary, and other flight information."
According to the CDC, "[t]his set of data is greater than the set of
information currently collected by the airlines, [global distribution
systems], or travel agencies."

The rule also broadens the list of symptoms that would make passengers
subject to quarantine. It would allow the CDC to detain a sick
individual for three business days without a hearing. After that time,
the CDC Director would have the power to quarantine an individual until
the end of "the period of incubation and communicability for the
communicable disease as determined by the Director." For most diseases,
this would be about a month. During that month, the quarantined person
would be able to have an administrative hearing, but only to dispute
factual evidence on whether the person has been exposed to a disease.
Legal or constitutional claims could not be addressed by the hearing,
though detainees could petition for a writ of habeas corpus for judicial
review of the quarantine order.

With regard to its Privacy Act obligations, the CDC states only that
"[i]nformation and records provided to CDC will be maintained and stored
in  accordance with HHS and CDC policies and in accordance with Privacy
Act (5 U.S.C.  552a) and its implementing regulations (45 C.F.R. Part
5b), which require that the records only be used for authorized purposes
by authorized personnel." What uses and personnel are authorized are

EPIC urges the public to submit comments and ask for a clear explanation
of how the CDC will comply with the provisions of the Privacy Act. The
public has until January 30, 2006 to comment on this rule. As part of an
effort to protect patients' privacy rights, EPIC and Patient Privacy
Rights are circulating an online petition calling for strong safeguards
of health record information.

The Proposed CDC Rule:


To submit comments about the Rule:


EPIC's Medical Privacy Page:


"I Want My Medical Privacy!" petition:

Patient Privacy Rights site:


[3] Denver Bus Rider Arrested for not Showing ID

On September 26, Deborah Davis was arrested in Denver, Colorado for
refusing to show an ID to a guard who had boarded the public bus she was
riding. After federal officers were called onto the bus, she was
arrested and cited with violating two federal regulations. She is
scheduled for arraignment before a U.S. magistrate judge on December 9.

Davis was riding to work when the bus, on its normal route, stopped at
the gates of the Denver Federal Center. A guard boarded the bus and
demanded to see ID from all of the passengers. Davis refused, noting
that she was not required to show ID. When ordered off the bus, Davis
also refused. The guard then called officers of the Federal Protective
Service to the bus. When Davis continued to refuse to show ID or leave
the bus, she was handcuffed, removed from the bus, and driven to a
police station within the Federal Center. Officers at the station
conferred for a while, then issued two tickets to Davis before allowing
her to leave.

Davis has been cited with violating two provisions of the Code of
Federal Regulations: one authorizing guards to request ID from persons
entering closed areas of federal property, and another requiring
compliance with lawful directions from officers. The municipal bus was
passing through the Center during normal business hours. Officials say
that the ID checks are part of a security program instituted after the
Oklahoma City bombings of 1995, and that they occur only when the
Federal Center is on "heightened alert," of which the public might not
receive warning.

Last year, the Supreme Court narrowly upheld a Nevada state law that
allowed officers to arrest individuals "reasonably suspected" to have
committed a crime when they refuse to provide their names to police.
EPIC filed an amicus brief in that case, Hiibel v. Sixth Judicial
District Court of Nevada, arguing that compelled disclosure of identity
affects privacy, as well as anonymity rights. In contrast to the Hiibel
case, Davis was apparently asked to show documentary identification, and
was not under suspicion of committing a crime.

Davis's Site:


Story in the Rocky Mountain News:


EPIC's Hiibel page:


EPIC's amicus brief in Hiibel (pdf):


[4] Canada's Privacy Officer Calls for "Drastic Action" on Phone Records

A reporter successfully obtained the personal and government phone
records of Canadian Privacy Commissioner Jennifer Stoddart, causing her
to call for "drastic action" to address the security of phone records.
The reporter, Jonathan Gatehouse of Maclean's Magazine, obtained the
phone records from American data broker "locatecell.com" for $200 per
order, "no questions asked." An exemption in Canadian privacy law allows
reporters to engage in such activities for newsgathering purposes.

Locatecell.com is one of 40 websites identified by EPIC as openly
advertising its ability to obtain phone calling records for a fee. EPIC
filed a complaint with the Federal Trade Commission concerning such
sites in July 2005. In August, EPIC petitioned the Federal
Communications Commission, and urged the agency to create heightened
security requirements for phone calling records.

Since EPIC filed its complaint and petition, a number of reporters have
successfully obtained phone records through online data brokers. Verizon
Wireless has brought at least two cases against companies that obtain
records. However, the FTC and FCC have yet to act.

Individuals concerned about protecting their phone records should take
several steps. First, ensure that your phone account in held in your
name. For instance, if the account is held in a spouse's name, your
spouse can obtain the records. Second, call your phone carrier and place
a password on your account. Use a password that you are apt to remember,
but others are not likely to know. The name of your first pet, a street
you lived on, or the name of your grade school will suffice. Do not use
your date of birth, mother's maiden name, or Social Security number.
Finally, be sure to opt out of the sale of "CPNI," when you call the
carrier. CPNI is your calling records, which are sold by many carriers
for marketing purposes unless you opt out.

Maclean's Article on Protection of Phone Records


EPIC's Page on Illegal Access to Phone Records:


[5] EU Parliament Enacts Data Retention Limits

Members of the European Parliament's Civil Liberties Committee voted to
limit a proposed data retention directive being negotiated by the
European Commission and 25 European Union governments through the
Council of the EU. The proposal has now gone back to the Council of
Ministers for them to accept the amendments or make further changes. The
Parliament and the Council will then have to reach a compromise on the
final legislation, which will later go to the European Parliament for a
vote. Great Britain, which holds the EU Presidency until the end of the
year, reaffirmed its commitment to reaching an agreement on the data
retention issue by that time.

The Committee's recommendations include decreasing from 24 to 12 months
the maximum period during which telephone companies and Internet service
providers could store traffic data. Committee members also agreed that the
data retention requirements could only apply to cases of serious crimes,
instead of all crimes. This comes as a reaction to a move from the music
and movie industries, who are eager to use the traffic data from all
users to prosecute people for uploading copyrighted files onto the
Internet and using peer-to-peer file-sharing networks. Consumer groups have
pointed out that the entertainment industry is attempting to hijack a
legislation intended mostly to fight terrorism for their own, totally
unrelated, needs.

The Committee's amendments make modifications to the draft directive to
require that a judge authorize access to telephone and Internet traffic;
that there be provisions on access to retained data; that data mining be
prohibited, and the type of data to be retained be limited. They also
make it an obligation for EU governments to reimburse companies'
storage, management, data protection and data security costs the data
retention requirements mandate; recommend a sunset clause for the whole
directive; and that criminal sanctions be introduced for the
infringement of data security and data protection provisions.

European Digital Rights, a coalition of European civil liberties organizations, has
expressed concern about the data retention proposal. The ISP and
telecommunications industries are also opposed to the draft directive,
claiming in a joint statement that the retention periods the Parliament
put forward are still too long, and the scope of data too wide.

EPIC's International Data Retention page. 


European Digital Rights (EDRi) home page:


[6] News in Brief

EPIC Files Suit for Information on Requests for Taxpayer Records

EPIC has asked a federal court to order the Internal Revenue Service to
release documents about law enforcement and intelligence requests for
taxpayer records since 9/11. EPIC has been seeking the information
through the Freedom of Information Act since July 2004, but the agency
has failed to disclose any documents. An EPIC FOIA request to the Social
Security Administration revealed earlier this year that the agency
changed its traditionally strict disclosure policy to allow law
enforcement agencies to obtain personal information merely by stating
the data was sought "in connection" with a 9/11 investigation. The
documents show the policy was still in effect in May 2004.

EPIC's complaint (pdf):


Documents obtained by EPIC from the Social Security Administration


EPIC's Internal Revenue Service Page:


Public Voice Symposium on Privacy in the Information Society

EPIC hosted a panel at the World Summit on the Information Society in
Tunisia on November 18, 2005 to introduce the highlights of its upcoming
"Privacy & Human Rights 2005" survey. Seven panelists from Europe, North
America, Latin America, the Middle East and Asia discussed their views
on the importance of privacy in the Information Society and the recent
privacy developments in their region. The panel gathered representatives
from civil society, human rights organizations, data protection
authorities and academic experts.

Public Voice Symposium Web page:


Highlights from Privacy & Human Rights 2005 (pdf):


Senate Considers Additional Exception to Federal Privacy Law

The Senate is mulling over a legislative proposal that would create an
intelligence exception to a federal privacy law. The Privacy Act imposes
obligations upon federal agencies maintaining personal data about
citizens and permanent residents, and gives those individuals rights in
their personal information held by the government. The proposed
exemption would allow intelligence and other agencies to share
information gathered about citizens and permanent residents when the
data is related to foreign intelligence or counterintelligence. The
legislation would also prevent individuals from accessing and correcting
records maintained about them by intelligence agencies, or learning to
whom those records have been disclosed. 

S. 1803, Intelligence Authorization Act for Fiscal Year 2006:


EPIC's Privacy Act of 1974 Page:


European Court's Top Advisor: Sharing Passenger Data with DHS Improper

The Advocate General of the European Court of Justice called for the
annulment of the May 2004 Passenger Name Records agreement between EU
and US authorities. The agreement requires airlines flying from the EU
to the US to disclose their passengers' personal information, including
e-mail and credit card details. The European Parliament complained with
the Court later that year that the agreement did not sufficiently
protect European travelers' privacy rights. Any eventual ruling by the
Court, which follows the Advocate General's opinion 80% of the time, may
call other EU anti-terrorism measures into question, as a data retention
proposal now for review before EU institutions (see item [5] above) is
being carried out under the same legal basis as the Passenger name
Records agreement.  The Court's final decision is expected next spring.

EPIC's EU-US Airline Passenger Data Disclosure page:


EPIC's Data Retention page:


FTC Study Shows Filters, Masking Help Reduce Spam

In a report released on November 28, the Federal Trade Commission found
that using spam filtering technologies and techniques such as "masking"
helps reduce the volume of unsolicited emails that consumers receive.
Researchers created 150 email accounts, some with spam filters, and some
without, and posted the addresses at various places on the Internet. The
study showed that Internet service providers that use spam filters
reduced spam by 86-95% over a five-week period. Masking, a technique by
which email addresses are presented in a human-readable, but not
machine-readable form (for instance, by displaying "epic-info AT epic
DOT org" instead of "epic-info@epic.org"), was found to be highly
effective. Four masked addresses received one spam message over a
five-week period, while four unmasked addresses received 6,416.

Results of the FTC Spam Study (pdf):


FTC Press Release:


EPIC's Spam page:


United Kingdom to Build System to Track All Drivers

The United Kingdom is creating a system that will track every person
using its roadways and retain the data for at least two years, even if
the driver has committed no offense. The system will link camera
surveillance systems, Automatic Number Plate Recognition technology, and
police and motor vehicle databases. UK officials say the system will be
used to find uninsured drivers, road tax evaders, and stolen cars, but
also for more serious crimes. The new system would add to Great
Britain's already-extensive surveillance system -- more than 4 million
cameras have been deployed throughout the country. It is estimated that
the average Briton is seen by 300 cameras per day.

EPIC's Spotlight on Surveillance about Camera Systems:


Privacy and Human Rights 2004 on Video Surveillance:


[7] EPIC Bookstore: "The Glass Consumer"

Edited by Susanne Lace


"The Glass Consumer" sets out a lofty goal for itself:  "to promote an
ambitious, sophisticated manifesto for the personal information economy,
taking in but exploring broader terrain than privacy." It analyzes the
issues of personal information not just in terms of individual privacy,
but in terms of consumer protection and the preservation of social
benefits. In doing so, it succeeds in refining the discourse on the use
of personal information.

The bulk of the "The Glass Consumer" is a collection of essays written
mostly by UK information policy experts, who provide a broad, if
occasionally scattered, background of the many components of the debate.
Authorities in fields as diverse as marketing, privacy enhancing
technologies, and health care law each give a reasoned view of their
particular areas of expertise, with some hints as to how each author
might proceed. The actual policy debate between the authors' conflicting
views and assumptions, however, is left for the reader to conduct.

Dr. Lace references, but does not rely solely upon these background
chapters as she ends the book with an in-depth policy statement, setting
forth the Council's agenda and recommendations for managing personal
information in the future. This final part of the book describes the
myriad issues and provides recommendations for future policy, geared
towards the UK. 

These recommendations include promoting the use of privacy enhancing
technologies, and granting stronger enforcement and auditing powers for
the Office of the Information Commissioner. The book also suggests a
major review of the European Commission's Data Protection Directive,
including clarification of key terms, requiring opt-in provisions across
all sectors, requiring separation between public and private sector
databases, and increasing access rights, to allow consumers to find out
which organizations have obtained personal information. Increased
consumer information is also stressed, such as a data breach
notification modeled after California's security breach law.

As extensive as the recommendations are,they still cannot address all of
the vast issues raised in earlier chapters, and "The Glass Consumer" may
raise more questions than it answers, but as technology and policy move
forward, raising and framing these questions is a necessary step.  By
precisely articulating the debate on the personal information economy,
"The Glass Consumer" does the its readers, and the field of information
privacy, a great service.

 -- Sherwin Siy


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers and
the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several governments
are gaining new powers to combat the perceived threats of encryption to
law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For more information:

Regulating Search: a Symposium on Search Engines, Law, and Public
Policy. Yale Information Society Project, Yale Law School. December 3,
2005. New Haven, Connecticut. For more information:

Committee Meeting of the Department of Homeland Security's Data Privacy
and Integrity Advisory Committee. Department of Homeland Security.
December 6, 2005. Washington, DC. For more information:

Cutting Edge Issues in Technology Law Confrence. Law Seminars
International. December 8-9, 2005. Seattle, Washington. For more

Meeting of the Information Security and Privacy Advisory Board. National
Institute of Standards and Technology. December 6-7, 2005. Rockville,
Maryland. For more information:

Ensuring Privacy and Secuurity of Consumer Information. American
Conference Institute. January 26-27, 2006. New York, New York. For more

Privacy in the Information Age: Databasese, Digital Dossiers, and
Surveillance. High Tech Law Institute, Santa Clara University. January
27, 2006. Santa Clara, California. For more information:

First International Conference on Availability, Reliability and
Security. Vienna University of Technology. April 20-22, 2006. Vienna,
Austria. For more inofrmation:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC Irvine
Institute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Oshawa, Ontario, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 12.24 -------------------------