EPIC logo

                           E P I C  A l e r t
Volume 13.25                                           December 15, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Comments on Targeting System Extended, Legality at Issue
[2] Congress Passes Law Banning Telephone Pretexting
[3] Senators Akaka and Sununu Introduce Bill to Repeal REAL ID
[4] E-Voting Advisory Committee Rejects Trust of Software
[5] Congress Passes U.S. SAFE WEB Act
[6] News in Brief
[7] EPIC Bookstore: "Security in Computing"
[8] Upcoming Conferences and Events

[1] Comments on Targeting System Extended, Legality at Issue

The Department of Homeland Security has extended until Friday, December
29 the deadline for public comments for the "Automated Targeting
System," a federal database that creates secret, terrorist ratings on
tens of millions of American citizens. The legality of traveler
profiling system is in question. Rep. Bennie Thompson (D-MS) said that
"serious concerns have arisen that, with respect to U.S. citizens and
possibly lawful permanent aliens, some elements of ATS as practiced may
constitute violations of privacy or civil rights."

The Automated Targeting System was originally established to assess
cargo that may pose a threat to the United States, but DHS proposes to
use the system to establish a secret terrorism risk profile for millions
of peoples. Simultaneously, DHS is seeking to remove Privacy Act
safeguards for the database. The Automated Targeting System's terrorist
risk profiles will be secret, unreviewable, and maintained by the
government for 40 years. The profiles will determine whether individuals
will be subject to invasive searches of their persons or belongings, and
whether U.S. citizens will be permitted to enter or exit the country.

The Identity Project submitted comments stating that ATS is prohibited
by Section 514(e) of the 2007 Homeland Security Appropriations Act. The
section reads, "None of the funds provided in this or previous
appropriations Acts may be utilized to develop or test algorithms
assigning risk to passengers whose names are not on Government watch
lists." Previous DHS appropriations acts have similar provisions. An
agency spokesman said the language in the appropriations bill does not
cover ATS  and insisted the program is legal.

EPIC, 29 organizations and 16 privacy and technology experts filed
comments highlighting privacy and security risks inherent in ATS and
urging the agency to suspend the program and to fully enforce Privacy
Act obligations. The problems of the Automated Targeting System are
described in the current EPIC Spotlight on Surveillance.

Submit comments on the Automated Targeting System here:


Department of Homeland Security, Notice of Privacy Act system of
records, 71 Fed. Reg. 64543 (Nov. 2, 2006):


Comments of the Identity Project on ATS (pdf):


Comments of EPIC, 29 organizations and 16 privacy and technology experts
on ATS (pdf):


EPIC's October 2006 Spotlight: "Customs & Border Protection's Automated
System Targets U.S. Citizens":


EPIC's page on the Automated Targeting System:


[2] Congress Passes Law Banning Telephone Pretexting

In the last days of the session, Congress passed the Law Enforcement and
Phone Privacy Protection Act. The bill, which will become law once
signed by President Bush, creates federal criminal penalties for
"pretexters" who access telephone records -- including voice-over-IP
calling records. In "pretexting," a person pretends to be someone
else in order to access his records.

The Law Enforcement and Phone Privacy Protection Act prohibits accessing
phone records by making false and fraudulent representations, using
false documents, or accessing the records online by fraud. The bill also
targets data brokers that are in the business of selling pretexted
telephone records. Lastly, individuals who receive or purchase telephone
records are also punished. The bill does not place any restrictions or
duties upon telephone companies holding the data, such as limitations on
data retention or the creation of privacy safeguards.

The bill provides an exemption for law enforcement; this means that law
enforcement officials can bypass the judicial subpoena process and use
false and fraudulent representations to gain access to the telephone
records of individuals.  The bill does not preempt state laws;
therefore, states can still impose greater penalties on phone record
sales, or use other legal tools to stop pretexting.

In testimony before both the House and the Senate earlier this year,
EPIC stated that private records being bought and sold in the public
market present serious risks to victims of domestic violence and
stalking, and that there is no reason why an individual should be able
to obtain these records through pretexting, or outside of existing legal
process. EPIC opposed any exemptions to a ban on pretexting, because
routine procedures under the law, such as warrants and subpoena powers,
exist for legitimate investigations.

The bill does not criminalize pretexting of personal records other than
phone records. Data brokers also trade in other personal information,
such as the identities of users of online dating services, or location
information. In the case of Amy Boyer, her stalker, Liam Youens,
identified her work location by hiring an investigator who used
pretexting. Youens went to her workplace, killed Boyer and then himself.
Such use of pretexting would not be prohibited by this bill.

Last summer, Hewlett-Packard's use of pretexting as an investigative
tool resulted in the renewed interest in regulating this activity. This
week, Hewlett-Packard settled a civil suit filed by the California
Attorney General over its use of pretexting of reporters' and board
members' telephone records. In the settlement, the company promised to
make corporate governance reforms and pay $14 million into a state fund.
The fund will be used to investigate privacy and intellectual property
piracy investigations.

EPIC's page on the Illegal Sale of Phone Records:


EPIC testimony before the Senate Committee on Commerce, Science, and
Transportation Subcommittee on Consumer Affairs, Product Safety, and
Insurance at a hearing on "Protecting Consumers' Phone Records" (Feb.


EPIC testimony before the House Committee on Energy and Commerce at a
hearing on "Phone Records for Sale: Why Aren't Phone Records Safe From
Pretexting?" (Feb. 2006) (pdf):


Law Enforcement and Phone Privacy Protection Act (the final bill is
version 4):


California Attorney General's Statement on Hewlett-Packard Settlement:


EPIC's page on the Amy Boyer case, including an amicus brief filed by


[3] Senators Akaka and Sununu Introduce Bill to Repeal REAL ID

Sen. Daniel Akaka (D-HI) and Sen. John Sununu (R-NH) introduced
legislation on December 8 to repeal Title II of the REAL ID Act of 2005,
which mandates federal identification standards and requires that state
DMVs collect sensitive personal information. Congress passed REAL ID
without a hearing even though legislators in both parties urged debate.
The senators said they believe REAL ID "places an unrealistic and
unfunded burden on state governments and erodes Americans' civil
liberties and privacy rights." The National Conference of State
Legislatures had released a report estimating REAL ID's cost to the
states would be more than $11 billion over five years.

The Identification Security Enhancement Act (ISEA), S. 4117 replaces
REAL ID with language from the act it repealed, the Intelligence Reform
and Terrorism Prevention Act of 2004. That act included "carefully
crafted language -- bipartisan language -- to establish standards for
States issuing driver's licenses," said Sen. Richard Durbin (D-IL). The
Identification Security Enhancement Act requires that new guidelines for
driver's licenses and identification cards be developed by a shared
rulemaking process involving federal officials, state governments and
privacy experts.

ISEA also includes strong security and privacy protections that were not
in the 2004 law. ISEA requires that states confiscate licenses and ID
cards "if any component or security feature" of the cards is
compromised. However, there is not a breach notice requirement -- if the
security of the database or card is compromised, then each individual
affected should receive notice.

ISEA also requires "procedures and requirements to protect the federal
and state constitutional rights and civil liberties of individuals who
apply for and hold” licenses and ID cards. The act will not preempt any
stronger state legislation that is more protective of privacy. The act
provides individuals with administrative rights to access and correction
of their records; however, it does not prohibit the exemption of the
database from Privacy Act of 1974 requirements ensuring judicial rights
to access and correction.

One similarity between ISEA and the REAL ID Act contains a significant
privacy risk. REAL ID requires licenses and ID cards display a person's
"address of legal residence," while ISEA requires a person's "address of
principal residence." Currently, domestic violence victims are allowed
to list P.O. boxes or other addresses to protect their privacy.
Including such alternatives in ISEA would combat the substantial privacy
risk to such individuals.

The Identification Security Enhancement Act (S. 4117):


The REAL ID Act of 2005 (Pub. L. 109-13):


EPIC's page on National ID Cards and REAL ID Act:


EPIC's Domestic Violence and Privacy Project:


[4] E-Voting Advisory Committee Rejects Trust of Software

The Technical Guidelines Development Committee (TGDC) adopted a
resolution that would prevent future voting systems from relying solely
on the correctness of their software to determine the accuracy of
elections. The significance of the resolution is to require the adoption
of better techniques to verify the accuracy of elections. The
resolution, offered by a member of TGDC's Security and Transparency
Subcommittee, was based in part on the work done by National Institute
of Standards and Technology (NIST) staff, which provides technical
assistance to the TGDC as it prepares draft recommendations for the 2007
voting system guidelines.

The NIST paper explained the concept of "software independence" as a
state wherein "an undetected change or error in software cannot cause an
undetectable change or error in an election outcome." Dr. William
Jeffrey, chair of the TGDC, explained that the resolution requires that
the accuracy of a system's electronic records be able to be
independently audited against a voter-verified record. The only systems
that do this currently are paper-based, such as optical scan systems;
however, the resolution does not preclude paperless systems from meeting
the standard in the future.

The TGDC voted on the recommendation during its December 4-5 meeting.
The TGDC is the technical advisory committee to the Election Assistance
Commission created by the Help America Vote Act. The TGDC is chaired by
the Director of NIST, and is responsible for the development of
recommendations on electronic voting system standards. The first
document produced by this process resulted in the 2005 Voluntary Voting
System Guidelines.

Technical Guidelines Development Committee:


National Institute for Standards and Technology's HAVA Work: 


NIST Paper: Requiring Software Independence in VVSG 2007: STS
Recommendations for the TGDC (pdf):


Resolutions Adopted by the TGDC (pdf):


Election Assistance Commission


Testimony of NIST Director before the Election Assistance Commission


National Committee for Voting Integrity:


[5] Congress Passes U.S. SAFE WEB Act

On December 9, Congress passed S.1608, the "Undertaking Spam, Spyware,
And Fraud Enforcement With Enforcers Beyond Borders Act of 2006" (U.S.
SAFE WEB Act of 2006). The U.S. SAFE WEB Act amends the Federal Trade
Commission Act to bolster the Federal Trade Commission's efforts to
protect consumers, specifically to combat spam, spyware, and Internet
fraud and deception.

Provisions of the legislation authorize the FTC to share information
with criminal authorities, which will improve information sharing with
foreign agencies that treat consumer fraud and deception as a criminal
law enforcement issue. The legislation also permits the FTC to work with
the Department of Justice to increase the resources relating to
FTC-related foreign litigation, such as freezing foreign assets and
enforcing U.S. court judgments abroad.

A previous bill, titled the International Consumer Protection Act of
2003 (S.1234), similarly attempted to expand the powers of the FTC to
share information about cross-border fraud. In testimony given on
September 17, 2003, EPIC supported the passage of legislation that
enables the FTC to work more closely with consumer protection agencies
in other countries to safeguard the interests of consumer and user of
online services, but said that provisions in the bill that reduce
privacy safeguards, limit government oversight, and diminish legal
safeguards should be removed.

The U.S. SAFE WEB Act is a marked improvement over the 2003 bill, and
addresses many of the privacy issues raised by EPIC. It contains an
improvement in government oversight from the previous bill, requiring a
detailed report to Congress within three years of passage. The U.S. SAFE
WEB Act also removed a provision which exempted information or material
voluntarily provided relevant to possible unfair or deceptive acts or
practices from the disclosure requirements of the Freedom of Information
Act. The receipt of foreign information remains exempt from Freedom of
Information Act disclosure.

While a provision was added to limit sharing of information to offenses
that are covered by mutual legal assistance treaties, the U.S. SAFE WEB
Act did not remove a provision that would allow investigations "without
requiring that the conduct identified in the request constitute a
violation of the laws of the United States."



Summary of the U.S. SAFE WEB Act (pdf):

     http://www.ftc.gov/reports/ussafeweb/Summary of US SAFE WEB Act.pdf

EPIC testimony before the House Committee on Energy and Commerce on the
International Consumer Protection Act of 2003:


EPIC testimony before the Senate Committee on Commerce, Science and
Transportation on the International Consumer Protection Act of 2003:


[6] News in Brief

December 10 Marked International Human Rights Day

On Sunday, the world marked Human Rights Day, which commemorates the day
United Nations General Assembly adopted the Universal Declaration of
Human Rights: December 10, 1948. Territorial and communications privacy
is specifically protected in Article 12 of the Declaration, which
states, "No one should be subjected to arbitrary interference with his
privacy, family home or correspondence, nor to attacks on his honour or
reputation. Everyone has the right to the protection of the law against
such interference or attacks." Nearly every country in the world
includes a right of privacy in its constitution. At a minimum, these
provisions include rights of inviolability of the home and secrecy of
communications. Most recently written constitutions include specific
rights to access and control one's personal information. In many of the
countries where privacy is not explicitly recognized in the
constitution, the courts have found that right in other provisions or in
international agreements that have been adopted into law.

UN Declaration of Human Rights:


Human Rights Day 2006:


Privacy and Human Rights 2005:


Government to Release Report Criticizing RFID Use in IDs

A revised version of a report from the Department of Homeland Security
Data Privacy and Integrity Advisory Committee will soon be released to
the public. This version tones down language in the original draft but
both reports conclude that radio frequency identification technology has
a myriad of privacy and security vulnerabilities, especially in the
context of ID documents. The draft report said, "RFID appears to offer
little benefit when compared to the consequences it brings for privacy
and data integrity." EPIC has previously explained that, in the absence
of effective security techniques, RFID tags are remotely and secretly
readable, which create significant security problems.

Department of Homeland Security Data Privacy and Integrity Advisory
Committee: DRAFT: The Use of RFID for Human Identification (pdf):


EPIC's page on RFID:


Massive Security Breach at UCLA Puts 800,000 at Risk

One or more hackers have gained access to a UCLA database containing
personal data on about 800,000 of the university's current and former
students, faculty and staff members. UCLA officials said the database
had records containing individuals' names, Social Security numbers and
birth dates. This is just the latest in a string of security breaches
that exposed personal data. A number of federal data breach bills were
proposed in Congress this year, though few implemented all of the
proposals urged by state governments and consumer groups. At least 33
states already have data breach notification laws.

Press Release, UCLA Warns of Unauthorized Access to Restricted Database:


ID Theft Prevention Tips for Veterans from Privacy Rights Clearinghouse:


Report: Data Mining Costly, Ineffective, Violates Liberties

In a new report, "Effective Counter-Terrorism and the Limited Role of
Predictive Data Mining," Jim Harper, director of information policy
studies at the Cato Institute, and Jeff Jonas, engineer and chief
scientist with IBM's Entity Analytic Solutions Group, explain that data
mining is costly, ineffective, and a violation of fundamental liberties.
In data mining, the government analyzes private data from large numbers
of people. Data mining is ineffective, the "statistical likelihood of
false positives is so high that predictive data mining will inevitably
waste resources and threaten civil liberties," according to the report.
The government is facing opposition from groups protesting its use of
data mining in Homeland Security's "Automated Targeting System," a
federal database that creates secret terrorist ratings on tens of
millions of American citizens. The public has until Friday, December 29
to comment on the program.

Jeff Jonas and Jim Harper, Policy Analysis: Effective Counterterrorism
and the Limited Role of Predictive Data Mining:


Comments of EPIC, 29 organizations and 16 privacy and technology experts


Submit comments on the Automated Targeting System here:


Phoenix Airport to Use 'Backscatter X-Ray' on Travelers

Sky Harbor International Airport located in Phoenix, Ariz. announced
that it will be field testing a new "backscatter X-ray" system intended
to screen passengers before boarding airplanes. This method of screening
passengers would reveal not only prohibited items but also medical
details such as prosthetic devices and old injuries.  The $100,000
refrigerator-size machines use "backscatter" technology, which bounces
low-radiation X-rays off of a passenger to produce photo-quality images
of metal, plastic and organic materials underneath clothes. The fact
that the machines have the capacity to record and store images raises
questions about secondary uses of the data.

EPIC's June 2005 Spotlight on Surveillance about backscatter X-ray


EPIC's page on Backscatter X-Ray Screening Technology:


Malaysia to Put RFID Chips in License Plates

Malaysia's government will embed license plates with radio frequency
identification (RFID) chips containing information about the vehicle and
its owner. Touted as an anti-theft device, the government says that with
the chips, officials can scan cars and identify stolen vehicles. The
license plates will transmit data at a range of up to 100 meters and
have a battery life of up to 10 years.

EPIC's page on RFID:


[7] EPIC Bookstore: "Security in Computing"

"Security in Computing" by Charles P. Pfleeger & Shari Lawrence Pfleeger
(Prentice Hall PTR 2006).


"A sweeping revision of the classic computer security text. This book
provides end-to-end, detailed coverage of the state of the art in all
aspects of computer security. Starting with a clear, in-depth review of
cryptography, it also covers specific options for securing software and
data against malicious code and intruders; the special challenges of
securing networks and distributed systems; firewalls; ways to administer
security on personal computers and UNIX systems; analyzing security
risks and benefits; and the legal and ethical issues surrounding
computer security."


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.25 -------------------------