EPIC logo

                           E P I C  A l e r t
Volume 13.21                                            October 20, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Homeland Security ID Card Filled with Security, Privacy Risks
[2] Congressional Report: All 19 Federal Agencies Lost Personal Data
[3] US, EU Reach Temporary Agreement on Passenger Name Records
[4] ICANN Renewal Threatens Online Privacy
[5] Documents: Database on Antiwar Protests More Extensive Than Thought
[6] News in Brief
[7] EPIC Bookstore: Dan Brown's "Digital Fortress"
[8] Upcoming Conferences and Events

[1] Homeland Security ID Card Filled with Security, Privacy Risks

The State Department recently published a proposed rule in the Federal
Register for the creation of the People Access Security Service (PASS)
card, which would be used for "international travel by U.S. citizens
through land or sea ports of entry between the United States, Canada,
Mexico, the Caribbean, and Bermuda." If adopted as proposed, the PASS
Card would include a long-range wireless technology that would create an
increased security risk. This is a significant change from the previous
system, where U.S. citizens would show a driver's license, birth
certificate or nothing at all to cross the border.

The Intelligence Reform and Terrorism Prevention Act of 2004 mandated
that, by January 2008, the departments of Homeland Security and State
develop and implement a plan to require U.S. citizens and foreign
nationals to present a passport or other documents to prove identity and
citizenship when entering the United States from certain countries in
North, Central or South America. This program is called the Western
Hemisphere Travel Initiative, and accepted documents for U.S. citizens
will be either a valid U.S. passport or the proposed PASS card.

The data on the PASS card would include the personal information
currently displayed in passports, "bearer's facial image, full name,
date and place of birth, passport card number, dates of validity and
issuing authority." The card will "utilize Radio Frequency (RF)
technology to store and transmit" a unique reference number to the
border official so that she may access the traveler's information in a
large federal database, "which could include additional information, for
example, information about the bearer's membership in one of [Customs
and Border Protection's] international trusted traveler programs,"
according to the State Department.

There are significant privacy and security risks associated with the use
of RFID-enabled PASS cards to track the entry and exit of U.S. citizens,
including clandestine tracking of individuals, "skimming," and
"eavesdropping." Skimming occurs when information from an RFID chip is
surreptitiously gathered by an unauthorized individual. Eavesdropping
occurs when an individual intercepts data as it is read by an authorized
RFID reader. In the absence of effective security techniques, RFID tags
are remotely and secretly readable. The State Department said the PASS
card would use "vicinity read technology" that "would allow the passport
card data to be read at a distance of up to 20 feet from the reader."
This longer distance increases the security risk, as unauthorized
readers could be hidden a significant distance from the PASS cardholder.

Sen. Leahy co-sponsored, with Sen. Ted Stevens of Alaska, legislation to
postpone implementation of the Western Hemisphere Travel Initiative
until certain requirements are met. The legislation, recently passed,
mandates that the departments of Homeland Security and State "ensure
that the technology for any Passport Card (PASS Card) meets certain
security standards - and that the National Institutes of Standards and
Technology certify the technology chosen by DHS and State," Sen. Leahy
said. Upon learning of the State Department's proposed rule for the PASS
card technology, Sen. Leahy expressed disappointment. "This draft rule
shows the importance of our reforms to improve the PASS Card system and
to make these agencies more accountable.... Without even testing the
technology for use as a passport or personal ID, they have chosen a
weaker security standard that would make our borders less secure and
that would risk the personal information of millions of Americans," he
said. The public has until December 18 to comment on the proposed PASS

The European Union, which includes 25 member states, is also
scrutinizing RFID technology. The increasing use of RFID technology
"will raise tremendous challenges for sovereignty, individual liberties
and economic independence. It will be necessary that citizens keep
control of how the information concerning them is utilized and updated
and how the tags can be deactivated," EU Information Society
Commissioner Viviane Reding recently said at the EU RFID 2006
Conference. The European Commission is considering proposing legislation
in 2007 to ensure privacy safeguards in the use of RFID technology.

State Department's Federal Register PASS Card Proposal:


EPIC's Spotlight on Surveillance: "Homeland Security PASS Card: Leave
Home Without It":


Speech of Viviane Reding, Member of the European Commission responsible
for Information Society and Media, "RFID: Why we need a European Policy"


EPIC's Page on RFID:


[2] Congressional Report: All 19 Federal Agencies Lost Personal Data

All 19 federal departments and agencies have had incidents of lost or
stolen personal data since 2003, according to a report released last
week by the House Government Reform Committee. The nearly 800 incidents
of data losses have affected millions of citizens.

In July, the committee asked all cabinet agencies, the Office of
Personnel Management and the Social Security Administration to detail
incidents involving the loss or compromise of any sensitive personal
data held by an agency or a contractor since January 1, 2003. Most of
the data losses have not been publicly reported, and the report said the
"vast majority of data losses arose from physical thefts of portable
computers, drives, and disks, or unauthorized use of data by employees."

The report said that the agencies often did not know what data was lost
or how many individuals were affected. Also, "agencies do not appear to
be tracking all possible losses of personal information, making it
likely that their reports to the committee are incomplete."

The committee probed the question of data security after an information
security breach in May by a Veterans Affairs employee resulted in the
theft from his Maryland home of unencrypted data affecting 26.5 million
veterans, active-duty personnel, and their family members. The laptop
and an external hard drive containing unencrypted information were later
found. But the recovery of the equipment came as newly discovered
documents showed that Veterans Affairs had given permission in 2002 for
the analyst, from whom the equipment was stolen, to work from home with
data that included millions of Social Security numbers, disability
ratings and other personal information. Agency officials previously said
the analyst was fired because he violated agency procedure by taking the
data home.

Many commercial data security breaches also have occurred in the last
year and a half. Data broker ChoicePoint revealed in February 2005 that
it had sold information on about 400,000 people to identity thieves. A
short time later, Bank of America misplaced back-up  tapes containing
detailed financial information on 1.2 million employees  in the federal
government, including many members of Congress. Lexis-Nexis made
available records from its Seisint division on 32,000 Americans to a
criminal ring that exploited passwords of legitimate account holders.

House Committee On Government Reform: "Staff Report: Agency Data
Breaches Since January 1, 2003" (pdf):


EPIC's Page on ChoicePoint: 


EPIC's Page on the Veterans Affairs Data Theft: 


[3] US, EU Reach Temporary Agreement on Passenger Name Records

The European Union and the United States concluded a new deal on
passenger name record on October 6, nearly a week after the deadline
imposed by the European Court of Justice in voiding the previous accord.
The 25 EU countries have given final approval to the deal, and it will
remain valid until July 2007.

The agreement differs from the previous accord in several significant
ways, according to EU Justice Commissioner Franco Frattini. The
Department of Homeland Security no longer has the automatic right to
pull data on travelers aboard U.S.-bound flight but instead must ask for
the information. Moreover, the department may disclose the data to other
US law enforcement agencies only if they adhere to similar standards of
data protection. However, prominent EU politicians, including Sophie
In't Veld, Rapporteur for the EU-US agreement on PNR, have questioned
whether the agreement is worded to cloak increased access for American
law enforcement in language that seems to comply with EU privacy laws.

As under the previous agreement, which had been in place since May 2004,
passenger name records (PNRs) on travelers from Europe will be
transmitted to the U.S. Department of Homeland Security within 15
minutes of a flight's departure. PNRs are data held by air carriers and
travel agents collected during booking, and can include passenger travel
dates, home and work addresses, payment details, members of the party
and meal preferences. The minimum amount required for a travel booking
is a name, contact information, and itinerary.

Since the European Court of Justice ruled in May that the agreement was
illegal because it exceeded the scope of the 1995 EU Directive on data
protection, the two sides have been engaged in high-level negotiations
over the terms of a new accord. The Department of Homeland Security
sought increased access to the passenger name records, including the
right to share passenger data with other US government agencies. The
European Union delegation was concerned that such use of citizens' data
would violate European privacy laws.

Last month, the Transatlantic Consumer Dialogue (TACD), a coalition of
US and EU consumer groups, wrote to US and EU officials, urging them to
include privacy safeguards in air passenger data sharing agreements. The
consumer groups requested that officials considering PNR sharing abide
by three criteria. First, the agreement must respect the May 2006
European Court of Justice decision that PNR sharing agreements must have
an adequate legal basis and be respectful of U.S. and EU privacy laws.
Second, the U.S. and EU must conduct a study comparing the effectiveness
of passenger profiling with other safety techniques. Third, the groups
held that an annual report of PNR sharing must be published.

Council of the European Union Press Release adopting temporary PNR


Ruling of the European Court of Justice:


EPIC's Privacy Law Sourcebook (containing the text of the EU Data


Text of TACD letter:


EPIC's Page on EU-US Airline Passenger Data Disclosures:


[4] ICANN Renewal Threatens Online Privacy

The Internet Corporation for Assigned Names and Numbers (ICANN), the
group that sets Internet policies for domain names, has reached a new
agreement with the Department of Commerce that may limit domain name
owner privacy. The new agreement includes a provision that "ICANN shall
continue to enforce existing policy relating to WHOIS, such existing
policy requires that ICANN implement measures to maintain timely,
unrestricted and public access to accurate and complete WHOIS

ICANN is the corporation that manages the assignment of domain names
(such as epic.org) to Internet Protocol addresses. Every person or
company that registers a domain name is required to make certain
information publicly accessible to a WHOIS lookup.  This information
includes the contact information for the domain name holder, including
her mailing address, e-mail address, telephone number, and fax number.
This same information has to be provided for the site's administrative
contact and technical contact.

The Department of Commerce has argued in the past that all WHOIS
information needs to be public and accurate. The department has complete
control over the .us top-level domain, and in February of last year, it
ordered that registrants of .us names must give their full, complete
registration information and that they may not register a name through a
proxy.  In testimony before a subcommittee of the House Financial
Services Committee this summer, the department argued that all WHOIS
information should be required to be public and accurate.

At the same hearing, EPIC Executive Director Marc Rotenberg testified in
support of ICANN's recent decision to limit WHOIS to providing technical
contacts for resolving network issues. That formulation of WHOIS allows
law enforcement and other authorized users to find owners of Web sites,
but the general public only has access to technical information
necessary for the functioning of the Internet. Rotenberg argued that a
public WHOIS database could chill unpopular political speech as well as
providing personal contact information to spammers and stalkers.

Joint Project Agreement between the Department of Commerce and  ICANN


EPIC's Testimony Before the Subcommittee on Financial Institutions and
Consumer Credit. Committee on Financial Services (July 18, 2006) (pdf):


EPIC Amicus Brief in Peterson v. National Telecommunications and
Information Administration supporting privacy for domain name owners


EPIC's Page on WHOIS Privacy:


[5] Documents: Database on Antiwar Protests More Extensive Than Thought

Documents showing that the Defense Department's collection of
information on anti-war protests was far more extensive than previously
thought were obtained under a Freedom of Information Act request by the
American Civil Liberties Union. The documents show that the military
officials labeled as "potential terrorist activities" events ranging
from a “Stop the War Now” rally in Akron, Ohio to antiwar protests by
Quakers. A Defense Department spokesperson said that "questionable data
collection" had led to a tightening of the department's procedures so
that only information that is relevant to terrorism and related threats
is collected.

One protest was placed in the database after a Department of Homeland
Security source received an e-mail from the American Friends Service
Committee (a Quaker peace group) about protests that focusing on
military recruitment offices with the goals of "raising awareness,
education, visibility in community, visibility to recruiters as part of
a national day of action." Other documents indicate that the Defense
Department was particularly concerned with disruption to military
recruiting and recruiters, though an internal report in May 2005 states:
"no reported incidents have occurred at these protests."

The latest disclosure comes after the Defense Department's
acknowledgment last year that it had maintained a database, known as
TALON, on over 1,500 "suspicious incidents" around the United States in
2004 and 2005. The department admitted that it had maintained the
information after it was determined that there was no threat from the
protests and past the 90 days its guidelines provided for. The
department also monitored student speech and e-mails at several
universities across the country, tracking students involved in
protesting military policies.

In addition to using TALON to monitor students, the Defense Department
also has programs that focus on collecting student information. In May
2005, the Department announced that it was going to create a massive
database for recruiting. The Pentagon's "Joint Advertising and Market
Research" system combines student information, Social Security numbers,
and information from state motor vehicle repositories into a unified
database housed at a private direct marketing firm. In June 2005, EPIC
and other privacy and consumer groups objected to the creation of the
database, arguing that it violated the Privacy Act and was unnecessarily
invasive. In addition, EPIC joined over 100 groups in sending a letter
to Secretary of Defense Donald Rumsfeld protesting the database.

FOIA documents about the database obtained by the ACLU: 


EPIC Memo on DOD Database (pdf):


Coalition Letter to the DOD Criticizing JAMRS:


[6] News in Brief

Government Report: Thousands Misidentified on Watch Lists

More than 30,000 have been mistakenly linked to names on terror watch
lists when they crossed the border, boarded commercial airliners or were
stopped for traffic violations, according to a report by the Government
Accountability Office. The false positive problem - when a person who is
not a suspect is mistakenly matched to a watch list - is difficult to
fix. When Sen. Ted Kennedy was improperly matched, he could only resolve
the problem with the help of then-Homeland Security Secretary Tom Ridge.
The watch lists include 325,000 names of terrorism suspects or people
suspected to aid them. This is more than quadruple the 75,000 names on
the lists when they were created in 2003.

Government Accountability Office, "Terrorist Watch List Screening:
Efforts to Help Reduce Adverse Effects on the Public GAO-06-1031" (Sept.
29, 2006) (pdf):


Colorado Governor Candidate Alleged to Abuse Database Access

Colorado governor candidate Bill Ritter has alleged that his opponent,
Bob Beauprez, improperly accessed the FBI's National Criminal
Information Center (NCIC) database to get data for a television ad. The
database contains millions of records on criminal activity and is to be
used for law enforcement purposes. The Ritter campaign claims that the
Beauprez campaign used the database to investigate Ritter's performance
as the former Denver District Attorney. Beauprez has denied any

National Criminal Information Center:


Chicago Mayor: Surveillance Camera on Every Corner by 2016

Chicago Mayor Richard Daley said that he plans that by 2016, there will
be a surveillance camera on every corner in the city. "We'll have more
cameras than Washington, D.C. ... Our technology is more advanced than
any other city in the world - even compared to London," he said. Chicago
has more than 200 cameras, and Daley's Fiscal Year 2007 budget includes
funds for 100 more cameras. Studies have repeatedly shown that cameras
do not prevent crime. It is better to have police and better lighting
than cameras. Detroit, Miami and Oakland all have abandoned their camera
surveillance systems because they did not cut down on crime.

EPIC's Page on Video Surveillance: 


Observing Surveillance: 


MSNBC Report: 'Privacy Lost: No Secrets in the Digital Age'

News organization MSNBC is publishing a package on the loss of privacy
in America. The topics include how technology and security affect
privacy and how the U.S. and European Union laws differ. A Commentary by
EPIC Executive Director Marc Rotenberg explains that legislators need
more information before they can evaluate appropriately the NSA domestic
surveillance wiretap program.

MSNBC Report: 'Privacy Lost: No Secrets in the Digital Age'


EPIC's Page on Domestic Surveillance: 


GOP National Committee Mistakenly Releases Donors' Personal Data

The Republican National Committee erroneously e-mailed a list that
contained the names, races, and Social Security numbers of dozens of top
Republican donors to a reporter for the New York Sun. The incident
raises questions about the security and privacy safeguards the committee
has to protect the personal data of its donors. It also reiterates how
easy it is for data collected to be distributed to large groups, even

Republican National Committee site:


[7] EPIC Bookstore: Dan Brown's "Digital Fortress"

"Digital Fortress" by Dan Brown (St. Martin's Press 2004).


In this novel, Dan Brown explores the world of NSA cryptography through
a suspenseful plot that finds the NSA's secret, most effective
code-breaking computer in the middle of a hostage situation. A former
NSA employee has developed a code that the NSA, and all its brute-force
technology cannot break. If the code were made accessible to the public,
it would ostensibly cripple the U.S. intelligence efforts.

While this novel is a somewhat predictable, it delves into the debate as
to whether national security necessitates the surrender of personal
privacy in the United States. Although it is written from the viewpoint
of the NSA, the author presents arguments, generally through sarcastic
references to the Electronic Frontier Foundation, that the total erosion
of the American people's privacy is not necessary to fight terrorism.

Dan Brown is also the author of "The Da Vinci Code" and "Angels and

     -- Courtney Barclay


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

Companies Caught in the Middle: Legal Responses to Government Requests
for Customer Information. University of San Francisco. October 27-28,
2006. San Francisco, California. For more information:

Internet Governance Forum (IGF) October 30-November 2, 2006. Athens,
Greece. For more information:

28th International Data Protection and Privacy Commissioners'
Conference. November 2-3, 2006. London, United Kingdom. For more

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.21 -------------------------