EPIC logo

                           E P I C  A l e r t
Volume 13.02                                            January 27, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] FTC Announces Choicepoint Data Breach Settlement
[2] EPIC Sues Justice Department for Warrantless Surveillance Records
[3] State and Federal Governments Address Illegal Phone Record Sales 
[4] Justice Department Subpoenas Search Records; Google Resists
[5] EPIC Comments on Junk Faxes, Preemption of State Law
[6] News in Brief
[7] EPIC Bookstore: Edmund J. Pankow's "Hide Your Assets and Disappear"
[8] Upcoming Conferences and Events

[1] FTC Announces Choicepoint Data Breach Settlement

On January 26, the Federal Trade Commission announced that it had
reached a multi-million dollar settlement with data broker Choicepoint
regarding the company's poor privacy and data security practices, as
well as violations of federal law. Choicepoint will pay $10 million to
the Commission and will have to pay an additional $5 million to redress
the harms suffered by consumers. It is the largest civil penalty in FTC

The settlement, the largest of its kind, brings an end to an FTC action
that accused Choicepoint of risking the personal information of at least
163,000 individuals. Choicepoint sold these records to a crime ring of
identity thieves, without performing basic security checks and ignoring
warning signs that the thieves were not who they claimed to be. At least
800 claims of identity theft are known to have arisen as a result of
these lapses.

According to the Commission, Choicepoint, which sold the records of at
least 163,000 individuals to a criminal ring of identity thieves,
violated federal law by failing to maintain reasonable procedures to
protect information, and also by falsely advertising that they
adequately shielded personal information from fraud and misuse.

“The message to ChoicePoint and others should be clear: Consumers'
private data must be protected from thieves,” said Deborah Platt
Majoras, Chairman of the FTC. “Data security is critical to consumers,
and protecting it is a priority for the FTC, as it should be to every
business in America.”

EPIC filed a complaint with the Federal Trade Commission in December
2004 that described Choicepoint's sale of personal information that
failed to provide the privacy safeguards of the Fair Credit Reporting

However, the FTC failed to act on the EPIC complaint until the press
reported on the sale of personal data by Choicepoint to a criminal ring
engaged in identity theft. More than 800 consumers so far have been
victims of identity theft as a result of that disclosure.

EPIC has recommended legislation that would allow consumers access to,
and the ability to correct, personal records maintained by data brokers,
as well as mandatory notification when individuals' personal information
had been breached.

Federal Trade Commission Press Release:


Federal Trade Commission Court Documents:


EPIC's Choicepoint web page:


EPIC's 2004 Complaint:


[2] EPIC Sues Justice Department for Warrantless Surveillance Records

Last week, EPIC filed a Freedom of Information Act lawsuit against the
Department of Justice. The suit asks a federal court to order the
Department to disclose information about the National Security Agency's
warrantless domestic surveillance program within 20 days. EPIC argued in
its court papers that the debate surrounding the activity "cannot  be
based solely upon information that the Administration voluntarily
chooses to disseminate." The case has been assigned to Judge Henry H.
Kennedy, Jr. of the United States District Court for the District of

Last month, the New York Times reported that President Bush secretly
issued an executive order in 2002 authorizing the NSA to conduct
warrantless surveillance of international telephone and Internet
communications on American soil. It was also reported that the Justice
Department has played a key role in authorizing, implementing and
overseeing this controversial activity. President Bush has acknowledged
the existence of the surveillance program and vowed that it would

EPIC submitted FOIA requests to the NSA and Department of Justice just
hours after the existence of the program was first reported. Noting the
extraordinary public interest in the program and its potential
illegality, EPIC asked the agencies to process the requests quickly. The
Justice Department agreed that the requests warranted priority
treatment, but has now failed to comply with the Freedom of Information
Act's usual time limit of 20 working days.

In response to EPIC request, the NSA has released two internal messages
from the agency's director to staff, which defend the NSA's warrantless
eavesdropping and discourage employees from discussing the program with
the news media. The NSA has withheld all other material responsive to
EPIC's request. EPIC has asked the agency to reconsider its decision.

EPIC's complaint (pdf):


EPIC's motion for preliminary injunction (pdf):


Internal messages obtained from the NSA by EPIC through the Freedom of
Information Act (pdf):


EPIC's Warrantless Surveillance FOIA Page:


[3] State and Federal Governments Address Illegal Phone Record Sales 

Many different government entities are taking legal action to address
the problem of online data brokers who obtain and sell phone records.
These companies openly advertise their ability to obtain personal
information of other people for a fee. In addition to phone records,
some of these companies offer to sell the identities of individuals who
participate in dating services, such as Match.com and Lavalife; others
offer the real identities of individuals based on their "AOL Screename"
or their P.O. Box ownership.  This information is obtained through
"pretexting," a practice where an investigator impersonates the account
holder in order to trick the business into releasing records.

In July 2005, EPIC filed a complaint with the Federal Trade Commission
urging the agency to take action against online data brokers (See EPIC
Alert 12.14 http://epic.org/alert/EPIC_Alert_12.14.html).  In August,
EPIC supplemented that complaint with a list of 40 websites that offered
to sell personal information, and petitioned the Federal Communications
Commission to require telephone carriers to enhance their security
standards for customer information (See EPIC Alert 12.18
http://epic.org/alert/EPIC_Alert_12.18.html). The FCC's Enforcement
Bureau has initiated an investigation and issued subpoenas to online
data brokers under its existing statutory authority to protect phone
records. The FCC has yet to act formally on the EPIC petition.

On the federal level, two Senate bills have been introduced to prohibit
accessing phone records through pretexting. Two more bills are expected
in the House of Representatives.  Generally, the bills prohibit the use
of pretexting or trickery to obtain records and the resale of phone
records. Next week, EPIC will testify before the House Energy and
Commerce Committee on the need for carriers to shield records and for a
ban on pretexting.

Attorneys General from Illinois, Missouri, and Florida have brought suit
against companies identified by EPIC as selling phone records.
Additionally, telephone carriers Verizon Wireless, Cingular, and
T-Mobile have brought suits against online data brokers for fraud and
misrepresentation. EPIC has supported these enforcement efforts, but
regulatory intervention is needed to solve this privacy problem in the
long term.  Otherwise, these data brokers simply will reform as new
companies or "go underground" once authorities' attention turns to other

EPIC Illegal Sale of Phone Records Page:


S. 2177, the Phone Records Protection Act of 2006:


S. 2178, the Consumer Telephone Records Protection Act of 2006:


[4] Justice Department Subpoenas Search Records; Google Resists

The U.S. Justice Department recently asked a federal court in California
to compel Google to turn over records revealing all of the queries
entered into the prominent search engine over the course of a week in
2005. The motion to compel comes after months of negotiations between
Google and the Justice Department, during which Google has refused to
turn over the records, claiming that the request was overly burdensome
and a threat to Google's trade secrets and possibly users' privacy.

In August of last year, the government originally sought a list of all
of the sites indexed by Google, as well as all queries entered into
Google from June 1, 2005 to July 31, 2005. This request was later
narrowed to a random sampling of 1 million URLs from the Google index
and all search queries made during a one-week period.

The requests highlight a privacy vulnerability in individuals' dealings
with search engines and other online companies. Though the government
did not ask for any personally identifiable information in its request,
Google does store search histories, email logs, and other information in
such a way that online activities can be traced back to individuals.
Nothing would prevent the government from requesting these logs in the
next case, or even as a follow-up to information gathered in this
particular sweep.

The current request for records comes not in connection with any
particular criminal or civil law enforcement action, but rather an
attempt to justify the 1998 Child Online Protection Act. The law would
have criminalized sites that posted adult material online, unless the
site required visitors to provide a credit card number or some form of
age verification. This law was challenged in 1998 by civil liberties
groups, including EPIC, and in 2004 the Supreme Court upheld a
preliminary injunction preventing the law's enforcement, claiming that
it was an overly restrictive to free speech. The Court then remanded the
case back down to the trial court for a full trial on the law's

As part of its fact-gathering for this trial, the Justice Department is
attempting to show that less restrictive methods of keeping children
from offensive material, such as web filters, are ineffective. How the
sampling of URLs and search requests from Google will help in this
effort is unclear, though it is possible that the vast amount of data
south could be processed in a way that shows that searches can
inadvertently return objectionable material.

Google is not the only company to have its records sought by the Justice
Department. Reports have indicated that Microsoft, Yahoo, and AOL have
also been subpoenaed, and have turned over similar information to the

DOJ's Motion to Compel Google Documents (pdf):


Declaration of DOJ Attorney, with Correspondence Between DOJ and Google


Declaration of DOJ Statistician Philip Stark (pdf):


EPIC's Child Online Protection Act (Ashcroft v. ACLU) Page:


[5] EPIC Comments on Junk Faxes, Preemption of State Law

In comments to the Federal Communications Commission, EPIC recommended a
series of protections to shield individuals against junk faxes. The
comments were in response to a request for guidance in the
implementation of the Junk Fax Prevention Act (JFPA).  That law, passed
by Congress in 2005, actually made it easier for advertisers to send
junk faxes by explicitly adding an "established business relationship"
exemption to the federal prohibition on sending fax advertising. This
exemption, which junk faxers previously tried to create through
litigation, allows businesses to send messages to their current
customers.  If an individual makes any purchase or requests any
information from a business, she has created an "established business

The JFPA requires junk faxers to place an opt-out notice on the message,
and to maintain a cost-free mechanism for individuals to opt out. EPIC's
specified that the opt-out notice should appear at the top of the fax
message, identify the sender of the message, and state that it was sent
pursuant to the "established business relationship" exemption.

Under the JFPA, the business can harvest a customer's fax number from
sources where the customer voluntarily disseminated it. EPIC argued that
companies should not be able to use fax number directories or numbers
published on web sites to harvest fax numbers unless it is coupled with
a statement that the holder of the number wishes to receive unsolicited
fax messages.

In separate comments, EPIC argued that the federal JFPA should not
supersede or "preempt" California's heightened protections against junk
faxes. In reaction to the passage of the JFPA, California legislators
moved quickly to protect state residents from junk faxes by requiring
affirmative consent from the recipient before businesses can send
messages.  EPIC argued that although junk faxers use interstate
communications to send messages, California has a strong interest in
regulating the practice.

EPIC Comments on the Junk Fax Prevention Act:


EPIC Comments on Preemption of State Junk Fax Laws:


EPIC Statement on the Junk Fax Prevention Act:


[6] News in Brief

Creation of National ID Card Will Be a Nightmare, Report Shows

State motor vehicle officials across the nation say it will be a
nightmare to implement the REAL ID Act, a law passed in May that will
turn driver's licenses into national ID cards. A comprehensive survey
concluded last August but recently obtained by the Associated Press
revealed the costs of implementation have been vastly underestimated by
the government, which initially put the total price at $100 million.
According to the survey, Pennsylvania alone would spend $85 million on

American Association of Motor Vehicle Administrators' Report on the REAL
ID Act (pdf):


EPIC's National ID Cards and REAL ID Act page:


U.S. Government to Test E-Passports in San Francisco

The Department of Homeland Security has begun testing E-Passports at San
Francisco International Airport. The E-Passports contain Radio Frequency
Identification chips, which transmit information wirelessly. Testing
conducted last year revealed that such E-Passports impede the inspection
process, according to documents recently obtained by EPIC under the
Freedom of Information Act. EPIC has urged the agency to abandon the use
of such technology in passports because of significant security and
privacy issues.

DHS Press Release Announcing the San Francisco Test:


EPIC's Comments to DHS About E-Passports, December 2005 (pdf):


EPIC's RFID page:


Survey: Americans Value Health Privacy, Have Security Concerns

Survey results released on January 17 by Health Industry Insights
indicate that Americans are deeply concerned about the vulnerability of
their medical records online.  A third of all respondents indicated that
the fear of their medical information being revealed on the Internet was
a reason they felt less comfortable sharing information with primary
care physicians. Nearly half (47%) who felt uncomfortable sharing
information with their primary care doctors wanted control over who
accesses their information. These results reinforce the need for privacy
to be built into any health information technology system, such as the
proposed national health IT network.  EPIC and Patient Privacy Rights
are asking concerned citizens to sign an electronic petition demanding
that privacy rights be put back into healthcare law.

"I Want My Medical Privacy" Petition:


Patient Privacy Rights:


EPIC's Medical Privacy Page:


Apple Changes its iTunes in Response to Privacy Concerns

In response to criticism from privacy and consumer advocates, Apple
recently announced changes to the latest version of iTunes. Version
6.0.2 originally enabled by default a feature known as the "MiniStore,"
which would report to Apple the track that a user was listening to and
use the information to serve advertising to the user's iTunes player. 
Privacy advocates, including EPIC, noted that Apple had not disclosed
this practice to users, nor how Apple planned to store, share, or
otherwise use the information. In response, Apple altered the program so
that the feature was off by default, and provided a clear warning to
users as to what information would be sent and that it would not be

iTunes Privacy Policy:


ID Theft Tops List of Federal Trade Commission Complaints

The Federal Trade Commission recently released its annual report of
consumer complaints about fraud and identity theft. As in previous
years, complaints about identity theft were by far the most common,
accounting for 37 percent of the 686,683 complaints filed. Other common
areas for complaint included Internet auctions (12%), foreign money
offers (8%), catalog sales (8%), and lotteries (7%). Credit card fraud
was the most common form of reported identity theft, followed by phone
or utilities fraud, bank fraud, and employment fraud.

FTC Consumer Complaint Report (pdf):


EPIC's Identity Theft Page:


[7] EPIC Bookstore: Edmund J. Pankau, "Hide Your Assets and Disappear"

Edmund J. Pankau, Hide Your Assets and Disappear, A Step by Step Guide
to Vanishing Without a Trace, 1999 Harper Collins


Books on "asset protection" always begin with some sort of reactionary
justification for hiding one's money from others. Something about asset
protection requires one to clear their conscience.  Sometimes it's the
specter of the IRS, often referred to as the "devil" in asset protection
books.  Other times it's the deficit or anything to do with Bill
Clinton.  In Pankau's "Hide Your Assets and Disappear," it's the
good-for-nothing former spouse who's after your millions and prized
yacht.  Did I mention that she performed a sexual favor for the judge,
resulting in a lopsided marital settlement?  Clearly, such an action
justifies abandoning legal responses in favor of moving one's assets to
frustrate satisfaction of the settlement.

Once you're free from guilt, Pankau's advice can help you funnel money
outside the country, establish a new identity, and even leave false
trails to mask your actual location.  Pankau not only reviews the
popular havens for hiding, but gives the reader tools to evaluate
whether a country is still a good place to avoid the IRS and that
ex-wife you married.  Pankau emphasizes that if you want to disappear,
you have to disappear.  That means a lot of inconvenience.  And
absolutely no contact with family members or friends from your old life.
 If you think you're ready for that, pick up Pankau's book.
--Chris Jay Hoofnagle


EPIC Publications:

"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers and
the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several governments
are gaining new powers to combat the perceived threats of encryption to
law enforcement.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Data Devolution: Corporate Information Security, Consumers and the
Future of Regulation. Fredric G. Levin College of Law, University of
Florida. February 3-4, 2006. Gainesville, Florida. For more information:

Who Can You Trust?: Privacy and Security is Everyone's Responsibility.
Reboot Communications. February 9-10, 2006. Victoria, British Columbia,
Canada. For more information:

IAPP National Summit. International Association of Privacy
Professionals. Washington, DC. March 8-10, 2006. For more information:

Beyond the Basics: Advanced Legal Topics in Open Source and
Collaborative Development in the Global Marketplace. University of
Washington School of Law. March 21, 2006. Seattle, Washington. For more

Making PKI Easy to Use. National Institutes of Health. April 4-6, 2006.
Gaithersburg, Maryland. For more information:

First International Conference on Availability, Reliability and
Security. Vienna University of Technology. April 20-22, 2006. Vienna,
Austria. For more information:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC Irvine
Institute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

The First International Conference on Legal, Security and Privacy Issues
in IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For more

Computers, Freedom, and Privacy Conference (CFP 2006). Association for
Computing Machinery May 2-5, 2006. Washington, DC. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Oshawa, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.02 -------------------------